diff --git a/sys/kern/kern_fork.c b/sys/kern/kern_fork.c
--- a/sys/kern/kern_fork.c
+++ b/sys/kern/kern_fork.c
@@ -368,6 +368,7 @@
 	struct filedesc_to_leader *fdtol;
 	struct pwddesc *pd;
 	struct sigacts *newsigacts;
+	enum prison_state pr_state;
 
 	p1 = td->td_proc;
 
@@ -710,6 +711,19 @@
 	 */
 	knote_fork(p1->p_klist, p2->p_pid);
 
+	/*
+	 * See if the containing prison died while the process was still new.
+	 */
+	prison_lock(p2->p_ucred->cr_prison);
+	pr_state = p2->p_ucred->cr_prison->pr_state;
+	prison_unlock(p2->p_ucred->cr_prison);
+	if (pr_state == PRISON_STATE_DYING) {
+		/* Folow the prison into death. */
+		PROC_LOCK(p2);
+		kern_psignal(p2, SIGKILL);
+		PROC_UNLOCK(p2);
+	}
+
 	/*
 	 * Now can be swapped.
 	 */
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -101,7 +101,7 @@
 #define	JAIL_UPDATE	0x02	/* Update parameters of existing jail */
 #define	JAIL_ATTACH	0x04	/* Attach to jail upon creation */
 #define	JAIL_DYING	0x08	/* Allow getting a dying jail */
-#define	JAIL_SET_MASK	0x0f
+#define	JAIL_SET_MASK	0x0f	/* JAIL_DYING is deprecated/ignored here */
 #define	JAIL_GET_MASK	0x08
 
 #define	JAIL_SYS_DISABLE	0
@@ -180,7 +180,7 @@
 	struct prison_racct *pr_prison_racct;		/* (c) racct jail proxy */
 	void		*pr_sparep[3];
 	int		 pr_childcount;			/* (a) number of child jails */
-	int		 pr_childmax;			/* (p) maximum child jails */
+	int		 pr_childmax;			/* (a) maximum child jails */
 	unsigned	 pr_allow;			/* (p) PR_ALLOW_* flags */
 	int		 pr_securelevel;		/* (p) securelevel */
 	int		 pr_enforce_statfs;		/* (p) statfs permission */
@@ -218,6 +218,7 @@
 					/* primary jail address. */
 
 /* Internal flag bits */
+#define	PR_REMOVE	0x01000000	/* In process of being removed */
 #define	PR_IP4		0x02000000	/* IPv4 restricted or disabled */
 					/* by this jail or an ancestor */
 #define	PR_IP6		0x04000000	/* IPv6 restricted or disabled */
@@ -334,6 +335,19 @@
 		if ((descend) ? (prison_lock(cpr), 0) : 1)		\
 			;						\
 		else
+
+/*
+ * As FOREACH_PRISON_DESCENDANT, but visit both preorder and postorder.
+ */
+#define FOREACH_PRISON_DESCENDANT_PRE_POST(ppr, cpr, descend)		\
+	for ((cpr) = (ppr), (descend) = 1;				\
+	     ((cpr) = (descend)						\
+	      ? ((descend) = !LIST_EMPTY(&(cpr)->pr_children))		\
+		? LIST_FIRST(&(cpr)->pr_children)			\
+		: (cpr)							\
+	      : ((descend) = LIST_NEXT(cpr, pr_sibling) != NULL)	\
+		? LIST_NEXT(cpr, pr_sibling)				\
+		: cpr->pr_parent) != (ppr);)
 
 /*
  * Attributes of the physical system, and the root of the jail tree.
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 18, 2020
+.Dd January 11, 2020
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -136,10 +136,6 @@
 .Pp
 Other available options are:
 .Bl -tag -width indent
-.It Fl d
-Allow making changes to a dying jail, equivalent to the
-.Va allow.dying
-parameter.
 .It Fl f Ar conf_file
 Use configuration file
 .Ar conf_file
@@ -207,6 +203,10 @@
 .It Fl v
 Print a message on every operation, such as running commands and
 mounting filesystems.
+.It Fl d
+This is deprecated, and equivalent to the (deprecated)
+.Va allow.dying
+parameter.
 .El
 .Pp
 If no arguments are given after the options, the operation (except
@@ -903,9 +903,14 @@
 .Pa /proc
 directory.
 .It Va allow.dying
-Allow making changes to a
+This deprecated and has no effect.
+It used to allow making changes to a
 .Va dying
 jail.
+Now such jails are always replaced when a new jail is created with the same
+.Va jid
+or
+.Va name .
 .It Va depend
 Specify a jail (or jails) that this jail depends on.
 When this jail is to be created, any jail(s) it depends on must already exist.
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -65,7 +65,7 @@
 static void clear_persist(struct cfjail *j);
 static int update_jail(struct cfjail *j);
 static int rdtun_params(struct cfjail *j, int dofail);
-static void running_jid(struct cfjail *j, int dflag);
+static void running_jid(struct cfjail *j);
 static void jail_quoted_warnx(const struct cfjail *j, const char *name_msg,
     const char *noname_msg);
 static int jailparam_set_note(const struct cfjail *j, struct jailparam *jp,
@@ -140,7 +140,7 @@
 	char *JidFile;
 	size_t sysvallen;
 	unsigned op, pi;
-	int ch, docf, error, i, oldcl, sysval;
+	int ch, docf, error, i, oldcl, sysval, dying_warned;
 	int dflag, Rflag;
 #if defined(INET) || defined(INET6)
 	char *cs, *ncs;
@@ -377,6 +377,7 @@
 	 * operation on it.  When that is done, the jail may be finished,
 	 * or it may go back for the next step.
 	 */
+	dying_warned = 0;
 	while ((j = next_jail()))
 	{
 		if (j->flags & JF_FAILED) {
@@ -397,11 +398,13 @@
 			    import_params(j) < 0)
 				continue;
 		}
+		if (j->intparams[IP_ALLOW_DYING] && !dying_warned) {
+			warnx("%s", "the 'allow.dying' parameter and '-d' flag"
+			    "are deprecated and have no effect.");
+			dying_warned = 1;
+		}
 		if (!j->jid)
-			running_jid(j,
-			    (j->flags & (JF_SET | JF_DEPEND)) == JF_SET
-			    ? dflag || bool_param(j->intparams[IP_ALLOW_DYING])
-			    : 0);
+			running_jid(j);
 		if (finish_command(j))
 			continue;
 
@@ -613,11 +616,10 @@
 int
 create_jail(struct cfjail *j)
 {
-	struct iovec jiov[4];
 	struct stat st;
-	struct jailparam *jp, *setparams, *setparams2, *sjp;
+	struct jailparam *jp, *setparams, *sjp;
 	const char *path;
-	int dopersist, ns, jid, dying, didfail;
+	int dopersist, ns;
 
 	/*
 	 * Check the jail's path, with a better error message than jail_set
@@ -657,57 +659,8 @@
 			*sjp++ = *jp;
 	ns = sjp - setparams;
 
-	didfail = 0;
 	j->jid = jailparam_set_note(j, setparams, ns, JAIL_CREATE);
-	if (j->jid < 0 && errno == EEXIST &&
-	    bool_param(j->intparams[IP_ALLOW_DYING]) &&
-	    int_param(j->intparams[KP_JID], &jid) && jid != 0) {
-		/*
-		 * The jail already exists, but may be dying.
-		 * Make sure it is, in which case an update is appropriate.
-		 */
-		jiov[0].iov_base = __DECONST(char *, "jid");
-		jiov[0].iov_len = sizeof("jid");
-		jiov[1].iov_base = &jid;
-		jiov[1].iov_len = sizeof(jid);
-		jiov[2].iov_base = __DECONST(char *, "dying");
-		jiov[2].iov_len = sizeof("dying");
-		jiov[3].iov_base = &dying;
-		jiov[3].iov_len = sizeof(dying);
-		if (jail_get(jiov, 4, JAIL_DYING) < 0) {
-			/*
-			 * It could be that the jail just barely finished
-			 * dying, or it could be that the jid never existed
-			 * but the name does.  In either case, another try
-			 * at creating the jail should do the right thing.
-			 */
-			if (errno == ENOENT)
-				j->jid = jailparam_set_note(j, setparams, ns,
-				    JAIL_CREATE);
-		} else if (dying) {
-			j->jid = jid;
-			if (rdtun_params(j, 1) < 0) {
-				j->jid = -1;
-				didfail = 1;
-			} else {
-				sjp = setparams2 = alloca((j->njp + dopersist) *
-				    sizeof(struct jailparam));
-				for (jp = setparams; jp < setparams + ns; jp++)
-					if (!JP_RDTUN(jp) ||
-					    !strcmp(jp->jp_name, "jid"))
-						*sjp++ = *jp;
-				j->jid = jailparam_set_note(j, setparams2,
-				    sjp - setparams2, JAIL_UPDATE | JAIL_DYING);
-				/*
-				 * Again, perhaps the jail just finished dying.
-				 */
-				if (j->jid < 0 && errno == ENOENT)
-					j->jid = jailparam_set_note(j,
-					    setparams, ns, JAIL_CREATE);
-			}
-		}
-	}
-	if (j->jid < 0 && !didfail) {
+	if (j->jid < 0) {
 		jail_warnx(j, "%s", jail_errmsg);
 		failed(j);
 	}
@@ -772,9 +725,7 @@
 		if (!JP_RDTUN(jp))
 			*++sjp = *jp;
 
-	jid = jailparam_set_note(j, setparams, ns,
-	    bool_param(j->intparams[IP_ALLOW_DYING])
-	    ? JAIL_UPDATE | JAIL_DYING : JAIL_UPDATE);
+	jid = jailparam_set_note(j, setparams, ns, JAIL_UPDATE);
 	if (jid < 0) {
 		jail_warnx(j, "%s", jail_errmsg);
 		failed(j);
@@ -813,8 +764,7 @@
 			rtjp->jp_value = NULL;
 		}
 	rval = 0;
-	if (jailparam_get(rtparams, nrt,
-	    bool_param(j->intparams[IP_ALLOW_DYING]) ? JAIL_DYING : 0) > 0) {
+	if (jailparam_get(rtparams, nrt, 0) > 0) {
 		rtjp = rtparams + 1;
 		for (jp = j->jp; rtjp < rtparams + nrt; jp++) {
 			if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) {
@@ -851,7 +801,7 @@
  * Get the jail's jid if it is running.
  */
 static void
-running_jid(struct cfjail *j, int dflag)
+running_jid(struct cfjail *j)
 {
 	struct iovec jiov[2];
 	const char *pval;
@@ -877,7 +827,7 @@
 		j->jid = -1;
 		return;
 	}
-	j->jid = jail_get(jiov, 2, dflag ? JAIL_DYING : 0);
+	j->jid = jail_get(jiov, 2, 0);
 }
 
 static void
@@ -906,10 +856,9 @@
 
 	jid = jailparam_set(jp, njp, flags);
 	if (verbose > 0) {
-		jail_note(j, "jail_set(%s%s)",
+		jail_note(j, "jail_set(%s)",
 		    (flags & (JAIL_CREATE | JAIL_UPDATE)) == JAIL_CREATE
-		    ? "JAIL_CREATE" : "JAIL_UPDATE",
-		    (flags & JAIL_DYING) ? " | JAIL_DYING" : "");
+		    ? "JAIL_CREATE" : "JAIL_UPDATE");
 		for (i = 0; i < njp; i++) {
 			printf(" %s", jp[i].jp_name);
 			if (jp[i].jp_value == NULL)