diff --git a/CHANGES b/CHANGES
index 39e5edf8bf..ea963e9e01 100644
--- a/CHANGES
+++ b/CHANGES
@@ -35,7 +35,9 @@
 5821.	[bug]		Fix query context management issues in the TCP part
 			of dig. [GL #3184]
 
-5820.	[placeholder]
+5820.	[security]	An assertion could occur in resume_dslookup() if the
+			fetch had been shut down earlier. (CVE-2022-0667)
+			[GL #3129]
 
 5819.	[security]	Lookups involving a DNAME could trigger an INSIST when
 			"synth-from-dnssec" was enabled. (CVE-2022-0635)
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 3844fc0124..5e6097a090 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -35,6 +35,10 @@ Security Fixes
   ISC would like to thank Vincent Levigneron from AFNIC for bringing
   this vulnerability to our attention. :gl:`#3158`
 
+- When chasing DS records, a timed-out or artificially delayed fetch
+  could cause ``named`` to crash while resuming a DS lookup.
+  (CVE-2022-0667) :gl:`#3129`
+
 Known Issues
 ~~~~~~~~~~~~