document correctly the last stage of the DNSSEC rotation

spotted in team#40432

howto/dns.md

@@ -128,10 +128,15 @@ The changes will take a while (~10 hours?) to trickle out into all
 caches, so it might take a while for the Nagios check to return green.
 
 Eventually, Nagios will complain about the old keys, and we can remove
-them. Make sure to remove the *old* key, not the new key. Be careful
-because the web interface might sort the keys in an unexpected
-way. check the keytag and compare with the expiration specified in the
-`dsset` file.
+them from the registrar. Make sure to remove the *old* key, not the
+new key. Be careful because the web interface might sort the keys in
+an unexpected way. Check the keytag and compare with the expiration
+specified in the `dsset` file. The Nagios warning that you will see
+will look like:
+
+    DNS - security delegations: WARNING: torproject.com (57040,-28234), torproject.net (63619,-53722), torproject.org (33670,-28486)
+
+The `-` entries (e.g. `-28234`) are the ones that should be removed.
 
 Note: this procedure could be automated by talking with the
 registrar's API, for example [Joker.com's DMAPI domain modification
@@ -236,6 +241,16 @@ If it's not delegated, it's because you forgot step 8 in the zone
 addition procedure. Ask your upstream or registrar to delegate the
 zone and run the checks again.
 
+### DNS - security delegations is WARNING
+
+This error:
+
+    11:51:19 <nsa> tor-nagios: [global] DNS - security delegations is WARNING: WARNING: torproject.net (63619,-53722), torproject.org (33670,-28486)
+
+... **will** happen after rotating the DNSSEC keys at the
+registrar. The trick is then simply to remove those keys, at the
+registrar. See [DS records expiry and renewal](#ds-records-expiry-and-renewal) for the procedure.
+
 # Discussion
 
 ## Design