diff --git a/bind.spec b/bind.spec
index b2f8451..c45b2f1 100644
--- a/bind.spec
+++ b/bind.spec
@@ -63,7 +63,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.2
-Release:  2%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  3%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -1160,6 +1160,9 @@ fi;
 
 
 %changelog
+* Mon Apr 27 2020 Petr Menšík <pemensik@redhat.com> - 32:9.16.2-3
+- Correct trust anchors
+
 * Fri Apr 24 2020 Petr Menšík <pemensik@redhat.com> - 32:9.16.2-2
 - Remove warnings in default configuration
 
diff --git a/named.conf.sample b/named.conf.sample
index a6cdc5e..d2ce6dd 100644
--- a/named.conf.sample
+++ b/named.conf.sample
@@ -63,10 +63,6 @@ options
 
 	/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
 
-	/* Enable serving of DNSSEC related data - enable on both authoritative
- 	   and recursive servers DNSSEC aware servers */
-	dnssec-enable yes;
-
 	/* Enable DNSSEC validation on recursive servers */
 	dnssec-validation yes;
 
@@ -182,8 +178,8 @@ view "internal"
 
 key ddns_key
 {
-	algorithm hmac-md5;
-	secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
+	algorithm hmac-sha256;
+	secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
 };
 
 view "external"
@@ -214,39 +210,34 @@ view "external"
 /* Trusted keys
 
   This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
-  have to configure at least one trusted key.
+  should configure at least one trusted key.
 
   Note that no key written below is valid. Especially root key because root zone
   is not signed yet.
 */
 /*
-trusted-keys {
+trust-anchors {
 // Root Key
-"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
-             E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
-             zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
-             MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
-             /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
-             iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
-             Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
+. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		      +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		      ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		      0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		      oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		      RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		      R1AkUTV74bU=";
 
 // Key for forward zone
-example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
-                      3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
-                      OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
-                      lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
-                      8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
-                      iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
-                      SCThlHf3xiYleDbt/o1OTQ09A0=";
+example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
+				LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
+				LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
+				UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
+				yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
+				Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
+				Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
+				xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
+
 
 // Key for reverse zone.
-2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
-                                VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
-                                tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
-                                yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
-                                4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
-                                zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
-                                7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
-                                52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
+2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
 };
 */
diff --git a/named.root.key b/named.root.key
index 647e1bd..e76a698 100644
--- a/named.root.key
+++ b/named.root.key
@@ -1,4 +1,4 @@
-trusted-anchors {
+trust-anchors {
         # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
         # for current trust anchor information.
         #