diff --git a/CHANGES b/CHANGES
index d912b2f55a..4b45bd2792 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6009.	[bug]		Don't trust a placeholder KEYDATA from the managed-keys
+			zone by adding it into secroots. [GL #2895]
+
 6008.	[bug]		Fixed a race condition that could cause a crash
 			in dns_zone_synckeyzone(). [GL #3617]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 2289c72e19..0114bf583f 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -54,3 +54,9 @@ Bug Fixes
 - The port in remote servers such as in :any:`primaries` and
   :any:`parental-agents` could be wrongly configured because of an inheritance
   bug. :gl:`#3627`
+
+- When having Internet connectivity issues during the initial startup of
+  ``named``, BIND resolver with :any:`dnssec-validation` set to ``auto`` could
+  enter into a state where it would not recover without stopping ``named``,
+  manually deleting ``managed-keys.bind`` and ``managed-keys.bind.jnl`` files,
+  and starting ``named`` again. :gl:`#2895`