diff --git a/crates/core/src/node.rs b/crates/core/src/node.rs
index 104e441..18875ad 100644
--- a/crates/core/src/node.rs
+++ b/crates/core/src/node.rs
@@ -19,7 +19,17 @@ use crate::types::{
 };
 
 /// Built-in default anchor — always available as a bootstrap fallback.
-const DEFAULT_ANCHOR: &str = "17af141956ae0b50dc1cb9248cadf5fca371ea2d8531ac9add3c03caffc61441@itsgoin.net:4433";
+/// Bootstrap anchor connect string. The NodeId here is the anchor's CURRENT
+/// network identity (used for QUIC handshake / cert verification). It was
+/// rotated from `17af14...` to `ab2b72...` by v0.6.1's upgrade path on the
+/// anchor host at 2026-04-22 22:57 UTC. The old key became the anchor's
+/// posting identity (see `DEFAULT_ANCHOR_POSTING_ID` in lib.rs) and is
+/// used to verify signed announcements; it is NOT used for connection
+/// verification.
+///
+/// Clients compiled against the pre-rotation value fail the TLS handshake
+/// with "UnknownIssuer" because they pin the wrong cert identity.
+const DEFAULT_ANCHOR: &str = "ab2b7258ef0b75b2c6ee8bf6595232055f6199d584d3c0fc10b15a1ed549aa13@itsgoin.net:4433";
 
 /// A distsoc node: ties together identity, storage, and networking
 pub struct Node {