diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
index 44607a042b..6c092db306 100644
--- a/bin/tests/system/checkconf/deprecated.conf
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -13,6 +13,7 @@
 
 options {
 	dnssec-validation yes;
+	max-zone-ttl 600;
 };
 
 trusted-keys {
@@ -36,3 +37,9 @@ managed-keys {
 		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
 		R1AkUTV74bU=";
 };
+
+zone example.com {
+        type primary;
+	file "maxttl-bad.db";
+	max-zone-ttl 120;
+};
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 5d6108ecd2..7d8d50e5ca 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -157,6 +157,7 @@ ret=0
 $CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
 grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'max-zone-ttl' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 # set -i to ignore deprecate warnings
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 69fddba873..f6fe74916b 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1802,26 +1802,28 @@ default is used.
    The default is five minutes. It cannot be longer than :any:`nta-lifetime`, which
    cannot be longer than a week.
 
-.. namedconf:statement:: max-zone-ttl
+:any:`max-zone-ttl`
 
-   This specifies a maximum permissible TTL value in seconds. For
-   convenience, TTL-style time-unit suffixes may be used to specify the
-   maximum value. When loading a zone file using a :any:`masterfile-format`
-   of ``text`` or ``raw``, any record encountered with a TTL higher than
-   :any:`max-zone-ttl` causes the zone to be rejected.
+   This should now be configured as part of :namedconf:ref:`dnssec-policy`.
+   Use of this option in :namedconf:ref:`options`, :namedconf:ref:`view`
+   and :namedconf:ref:`zone` blocks has no effect on any zone for which
+   a :namedconf:ref:`dnssec-policy` has also been configured. In zones
+   without :namedconf:ref:`dnssec-policy`, this option is deprecated,
+   and will be rendered non-operational in a future release.
+
+   :any:`max-zone-ttl` specifies a maximum permissible TTL value in seconds.
+   For convenience, TTL-style time-unit suffixes may be used to specify the
+   maximum value. When a zone file is loaded, any record encountered with a
+   TTL higher than :any:`max-zone-ttl` causes the zone to be rejected.
 
    This is needed in DNSSEC-maintained zones because when rolling to a new
    DNSKEY, the old key needs to remain available until RRSIG records
    have expired from caches. The :any:`max-zone-ttl` option guarantees that
    the largest TTL in the zone is no higher than the set value.
 
-   In the :namedconf:ref:`options` and :namedconf:ref:`zone` blocks,
-   the default value is ``unlimited``. A :any:`max-zone-ttl` of zero is
-   treated as ``unlimited``.
-
-   In the :namedconf:ref:`dnssec-policy` block,
-   the default value is ``PT24H`` (24 hours).  A :any:`max-zone-ttl` of
-   zero is treated as if the default value were in use.
+   When used in :namedconf:ref:`options`, :namedconf:ref:`view` and
+   :namedconf:ref:`zone` blocks, setting :any:`max-zone-ttl` to zero
+   is equivalent to "unlimited".
 
 .. namedconf:statement:: stale-answer-ttl
 
@@ -4213,9 +4215,9 @@ Tuning
    Note that when a zone file in a format other than ``text`` is loaded,
    :iscman:`named` may omit some of the checks which are performed for a file in
    ``text`` format. For example, :any:`check-names` only applies when loading
-   zones in ``text`` format, and :any:`max-zone-ttl` only applies to ``text``
-   and ``raw``.  Zone files in binary formats should be generated with the
-   same check level as that specified in the :iscman:`named` configuration file.
+   zones in ``text`` format. Zone files in ``raw`` format should be generated
+   with the same check level as that specified in the :iscman:`named`
+   configuration file.
 
    When configured in :namedconf:ref:`options`, this statement sets the
    :any:`masterfile-format` for all zones, but it can be overridden on a
@@ -5982,10 +5984,20 @@ The following options can be specified in a :any:`dnssec-policy` statement:
     This is similar to :any:`signatures-validity`, but for DNSKEY records.
     The default is ``P2W`` (2 weeks).
 
-:any:`max-zone-ttl`
+.. namedconf:statement:: max-zone-ttl
+
+   This specifies the maximum permissible TTL value for the zone.  When
+   a zone file is loaded, any record encountered with a TTL higher than
+   :any:`max-zone-ttl` causes the zone to be rejected.
+
+   This ensures that when rolling to a new DNSKEY, the old key will remain
+   available until RRSIG records have expired from caches. The
+   :any:`max-zone-ttl` option guarantees that the largest TTL in the
+   zone is no higher than a known and predictable value.
+
+   The default value ``PT24H`` (24 hours).  A value of zero is treated
+   as if the default value were in use.
 
-   Like the :namedconf:ref:`max-zone-ttl` zone option, this specifies the maximum
-   permissible TTL value, in seconds, for the zone.
 
 .. namedconf:statement:: nsec3param
 
@@ -6779,6 +6791,8 @@ Zone Options
 
 :any:`max-zone-ttl`
    See the description of :any:`max-zone-ttl` in :ref:`options`.
+   The use of this option in :any:`zone` blocks is deprecated and
+   will be rendered nonoperational in a future release.
 
 :any:`dnssec-secure-to-insecure`
    See the description of :any:`dnssec-secure-to-insecure` in :ref:`boolean_options`.
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 2fc6bd1eb7..cbc565134c 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -247,7 +247,7 @@ options {
 	max\-transfer\-time\-in <integer>;
 	max\-transfer\-time\-out <integer>;
 	max\-udp\-size <integer>;
-	max\-zone\-ttl ( unlimited | <duration> );
+	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
 	memstatistics <boolean>;
 	memstatistics\-file <quoted_string>;
 	message\-compression <boolean>;
@@ -534,7 +534,7 @@ view <string> [ <class> ] {
 	max\-transfer\-time\-in <integer>;
 	max\-transfer\-time\-out <integer>;
 	max\-udp\-size <integer>;
-	max\-zone\-ttl ( unlimited | <duration> );
+	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
 	message\-compression <boolean>;
 	min\-cache\-ttl <duration>;
 	min\-ncache\-ttl <duration>;
@@ -703,7 +703,7 @@ zone <string> [ <class> ] {
 	max\-records <integer>;
 	max\-transfer\-idle\-out <integer>;
 	max\-transfer\-time\-out <integer>;
-	max\-zone\-ttl ( unlimited | <duration> );
+	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
 	notify ( explicit | master\-only | primary\-only | <boolean> );
 	notify\-delay <integer>;
 	notify\-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
@@ -902,7 +902,7 @@ zone <string> [ <class> ] {
 	masterfile\-format ( raw | text );
 	masterfile\-style ( full | relative );
 	max\-records <integer>;
-	max\-zone\-ttl ( unlimited | <duration> );
+	max\-zone\-ttl ( unlimited | <duration> ); // deprecated
 	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote\-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	zone\-statistics ( full | terse | none | <boolean> );
 };
diff --git a/doc/misc/options b/doc/misc/options
index 37558e36da..1681be1514 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -190,7 +190,7 @@ options {
 	max-transfer-time-in <integer>;
 	max-transfer-time-out <integer>;
 	max-udp-size <integer>;
-	max-zone-ttl ( unlimited | <duration> );
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
 	memstatistics <boolean>;
 	memstatistics-file <quoted_string>;
 	message-compression <boolean>;
@@ -477,7 +477,7 @@ view <string> [ <class> ] {
 	max-transfer-time-in <integer>;
 	max-transfer-time-out <integer>;
 	max-udp-size <integer>;
-	max-zone-ttl ( unlimited | <duration> );
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
 	message-compression <boolean>;
 	min-cache-ttl <duration>;
 	min-ncache-ttl <duration>;
diff --git a/doc/misc/primary.zoneopt b/doc/misc/primary.zoneopt
index c8ceb6d29f..5501962f4c 100644
--- a/doc/misc/primary.zoneopt
+++ b/doc/misc/primary.zoneopt
@@ -40,7 +40,7 @@ zone <string> [ <class> ] {
 	max-records <integer>;
 	max-transfer-idle-out <integer>;
 	max-transfer-time-out <integer>;
-	max-zone-ttl ( unlimited | <duration> );
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
 	notify ( explicit | master-only | primary-only | <boolean> );
 	notify-delay <integer>;
 	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt
index 1c34bb11f1..845ca96062 100644
--- a/doc/misc/redirect.zoneopt
+++ b/doc/misc/redirect.zoneopt
@@ -7,7 +7,7 @@ zone <string> [ <class> ] {
 	masterfile-format ( raw | text );
 	masterfile-style ( full | relative );
 	max-records <integer>;
-	max-zone-ttl ( unlimited | <duration> );
+	max-zone-ttl ( unlimited | <duration> ); // deprecated
 	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	zone-statistics ( full | terse | none | <boolean> );
 };
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index a438fe1f5e..64d0ddb494 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2300,7 +2300,7 @@ static cfg_clausedef_t zone_clauses[] = {
 	{ "max-transfer-time-out", &cfg_type_uint32,
 	  CFG_ZONE_PRIMARY | CFG_ZONE_MIRROR | CFG_ZONE_SECONDARY },
 	{ "max-zone-ttl", &cfg_type_maxduration,
-	  CFG_ZONE_PRIMARY | CFG_ZONE_REDIRECT },
+	  CFG_ZONE_PRIMARY | CFG_ZONE_REDIRECT | CFG_CLAUSEFLAG_DEPRECATED },
 	{ "min-refresh-time", &cfg_type_uint32,
 	  CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
 	{ "min-retry-time", &cfg_type_uint32,