Correct the BIND ARM to say that the default session-key for use with 'update-policy local;' is generated at startup
The BIND ARM says:
A pre-defined update-policy rule can be switched on with the command update-policy local;. Switching on this rule in a zone causes named to generate a TSIG session key and place it in a file. That key will then be allowed to update the zone, if the update request is sent from local- host. By default, the session key is stored in the file /var/run/named/session.key; the key name is "local-ddns" and the key algorithm is HMAC-SHA256. These values are configurable with the session-keyfile, session-keyname and session-keyalg options, respectively).
This is not actually true - the session-key is generated when named starts up, irrespective of whether it's needed or not.