diff --git a/CHANGES b/CHANGES
index a3e5163329..adb94d3368 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4788.	[cleanup]	When using "update-policy local", log a warning
+			when an update matching the session key is received
+			from a remote host. [RT #46213]
+
 4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
 			dns_nsec3param_salttotext(), and add unit tests for it.
 			[RT #46289]
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index df5e65c6b8..52b002bdca 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -486,6 +486,7 @@ fi
 n=`expr $n + 1`
 ret=0
 echo "I:check that 'update-policy local' fails from non-localhost address ($n)"
+grep 'match on session key not from localhost' ns5/named.run > /dev/null && ret=1
 $NSUPDATE -p 5300 -k ns5/session.key > nsupdate.out.$n 2>&1 << END && ret=1
 server 10.53.0.5 5300
 local 10.53.0.1
@@ -493,6 +494,7 @@ update add nonlocal.local.nil. 600 A 4.3.2.1
 send
 END
 grep REFUSED nsupdate.out.$n > /dev/null 2>&1 || ret=1
+grep 'match on session key not from localhost' ns5/named.run > /dev/null || ret=1
 $DIG @10.53.0.5 -p 5300 \
         +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
         nonlocal.local.nil. > dig.out.ns5.$n || ret=1
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index 4a23172334..6c740938fa 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -73,6 +73,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_NTA		(&dns_modules[30])
 #define DNS_LOGMODULE_DYNDB		(&dns_modules[31])
 #define DNS_LOGMODULE_DNSTAP		(&dns_modules[32])
+#define DNS_LOGMODULE_SSU		(&dns_modules[33])
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/log.c b/lib/dns/log.c
index eff1bdbb9f..e3cabc9825 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -79,6 +79,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/nta",		0 },
 	{ "dns/dyndb",		0 },
 	{ "dns/dnstap",		0 },
+	{ "dns/ssu",		0 },
 	{ NULL, 		0 }
 };
 
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
index d39f457480..0be3ca8d6e 100644
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@@ -425,12 +425,21 @@ dns_ssutable_checkrules2(dns_ssutable_t *table, const dns_name_t *signer,
 				continue;
 			}
 			if (!dns_name_issubdomain(name, rule->name)) {
-
 				continue;
 			}
 			dns_acl_match(addr, NULL, env->localhost,
 				      NULL, &match, NULL);
 			if (match == 0) {
+				if (signer != NULL) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_SSU,
+						      ISC_LOG_WARNING,
+						      "update-policy local: "
+						      "match on session "
+						      "key not from "
+						      "localhost");
+				}
 				continue;
 			}
 			break;