diff --git a/CHANGES b/CHANGES
index 22f8200293..29e2029f01 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+5613.	[bug]		It was possible to write an invalid transaction header
+			in the journal file for a managed-keys database after
+			upgrading. This has been fixed. Invalid headers in
+			existing journal files are detected and named is able
+			to recover from them. [GL #2600]
+
 5612.	[bug]		Continued refactoring of the network manager:
 			- allow recovery from read and connect timeout events
 			- ensure that calls to isc_nm_*connect() always
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ec47cf85d1..cd3af2cb7b 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -74,3 +74,9 @@ Bug Fixes
   recursion for a client query completed when ``named`` was about to look for
   a stale answer, an assertion could fail in ``query_respond()``, resulting in
   a crash. This has been fixed. [GL #2594]
+
+- After upgrading to the previous release, journal files for trust anchor
+  databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt
+  state. (Other zone journal files were not affected.) This has been
+  fixed. If a corrupt journal file is detected, ``named`` can now recover
+  from it. [GL #2600]