diff --git a/CHANGES b/CHANGES
index ff445f22fb..7ea8466bb7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5899.	[func]		Don't try to process DNSSEC-related and ZONEMD records
+			in catz. [GL #3380]
+
 5898.	[cleanup]	Simplify BIND's internal DNS name compression API. As
 			RFC 6891 explains, it isn't practical to deploy new
 			label types or compression methods, so it isn't
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 4537e372ea..2cdadf56de 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -45,3 +45,6 @@ Bug Fixes
 - Key files were updated every time the ``dnssec-policy`` key manager ran,
   whether the metadata has changed or not. BIND now checks if changes were
   applied before writing out the key files. :gl:`#3302`.
+
+- DNSSEC-signed catalog zones were not being processed correctly. This
+  has been fixed. :gl:`#3380`.
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 6007a1cab1..c926be424c 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -2088,6 +2088,12 @@ cleanup:
 	return (result);
 }
 
+static bool
+catz_rdatatype_is_processable(const dns_rdatatype_t type) {
+	return (!dns_rdatatype_isdnssec(type) && type != dns_rdatatype_cds &&
+		type != dns_rdatatype_cdnskey && type != dns_rdatatype_zonemd);
+}
+
 void
 dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 	dns_catz_zone_t *oldzone = NULL, *newzone = NULL;
@@ -2230,6 +2236,17 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, &rdataset);
+
+			/*
+			 * Skip processing DNSSEC-related and ZONEMD types,
+			 * because we are not interested in them in the context
+			 * of a catalog zone, and processing them will fail
+			 * and produce an unnecessary warning message.
+			 */
+			if (!catz_rdatatype_is_processable(rdataset.type)) {
+				goto next;
+			}
+
 			result = dns_catz_update_process(catzs, newzone, name,
 							 &rdataset);
 			if (result != ISC_R_SUCCESS) {
@@ -2251,6 +2268,7 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 					      cname, classbuf, typebuf,
 					      isc_result_totext(result));
 			}
+		next:
 			dns_rdataset_disassociate(&rdataset);
 			result = dns_rdatasetiter_next(rdsiter);
 		}