diff --git a/howto/dns.md b/howto/dns.md
index 6932ea024d98e3ad96084861e0817a619d60170d..97b74217afa8addf25063add474788913df09b00 100644
--- a/howto/dns.md
+++ b/howto/dns.md
@@ -88,9 +88,11 @@ To fix this error, you need to [visit joker.com](https://joker.com/) and authent
 with the password in `hosts-extra-info` in tor-passwords, along with
 the 2FA dance. Then:
 
- 1. click on the gear next to the domain affected
- 2. edit the DNSSEC section
- 3. click "more" to add a record
+ 1. click on the "modify" button next to the domain affected (was
+    first a gear but is now a pen-like icon thing)
+ 2. find the DNSSEC section
+ 3. click the "modify" button to edit records
+ 4. click "more" to add a record
 
 The new key should already be present on the DNS master (currently
 `nevii`) in:
@@ -103,14 +105,18 @@ It is in the format (from [rfc4034](https://tools.ietf.org/html/rfc4034)):
 
 For example:
 
-    torproject.net.  IN DS 53722 8 2 6d3d2be639594ffe34d4c5b9214fe5ddf81b8ee1c8505f5ec1a800dc4a809a91; Pub: 2019-05-25 17:40:08;  Act: 2019-05-25 17:40:08;  Inact: 2021-09-11 17:40:08;  Del: 2021-09-11 17:40:08;  Rev: 2021-08-12 17:40:08
+    torproject.com.  IN DS 28234 8 2 260a11137e3fca013b90da649d50e9c5eb71b814cc1797ea81ee7c91c17b398a; Pub: 2019-05-25 17:40:07;  Act: 2019-05-25 17:40:07;  Inact: 2021-11-16 17:40:07;  Del: 2021-11-16 17:40:07;  Rev: 2021-10-02 17:40:07
+    torproject.com.  IN DS 57040 8 2 ebdf81e6b773f243cdee2879f0d12138115d9b14d560276fcd88e9844777d7e3; Pub: 2021-06-13 17:40:07;  Act: 2021-06-13 17:40:07;  Inact: 2023-10-16 17:40:07;  Del: 2023-10-16 17:40:07;  Rev: 2023-09-01 17:40:07
+
+Note that there are *two* keys there: one (the oldest) should already
+be in Joker. you need to add the new one.
 
 With the above, you would have the following in Joker:
 
  * `alg`: 8
- * `digest`: 6d3d2be639594ffe34d4c5b9214fe5ddf81b8ee1c8505f5ec1a800dc4a809a91
+ * `digest`: ebdf81e6b773f243cdee2879f0d12138115d9b14d560276fcd88e9844777d7e3
  * `type`: 2
- * `keytag`: 53722
+ * `keytag`: 57040
 
 And click "save".
 
@@ -204,7 +210,6 @@ of a zone:
 Notice how the `38.in-addr.arpa` zone is not signed? This zone can
 therefore not be signed with DNSSEC.
 
-
 ### DNS - delegation and signature expiry is WARNING
 
 If you get a warning like this:
@@ -231,7 +236,6 @@ If it's not delegated, it's because you forgot step 8 in the zone
 addition procedure. Ask your upstream or registrar to delegate the
 zone and run the checks again.
 
-
 # Discussion
 
 ## Design