diff --git a/CHANGES b/CHANGES
index 63a2c54db1..344afbca5f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5574.	[func]		Incoming zone transfers can now use TLS.
+			Addresses in a "primaries" list take an optional
+			"tls" argument, specifying either a previously
+			configured "tls" block or "ephemeral"; SOA queries
+			and zone transfer requests will then be sent via
+			TLS. [GL #2392]
+
 5573.	[func]		Also return stale data if an error occurred and we are
 			not resuming. Only start the stale-refresh-time window
 			if we timed out. [GL #2434]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 600911bd2a..82677a00ee 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -47,6 +47,11 @@ New Features
   case, we will try to answer DNS requests with stale data, but not start
   the ``stale-refresh-time`` window. [GL #2434]
 
+- ``named`` now supports XFR-over-TLS (XoT) for incoming as well as
+  outgoing zone transfers.  Addresses in a ``primaries`` list can take
+  an optional ``tls`` option which specifies either a previously configured
+  ``tls`` statement or ``ephemeral``. [GL #2392]
+
 Removed Features
 ~~~~~~~~~~~~~~~~