diff --git a/CHANGES b/CHANGES
index e568b930f3..a5e1482b85 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+6219.	[bug]		Ignore 'max-zone-ttl' on 'dnssec-policy insecure'.
+			[GL #4032]
+
 6218.	[func]		Add inline-signing to dnssec-policy. [GL #3677]
 
 6217.	[func]		The dns_badcache unit was refactored to use cds_lfht
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c2e2a53268..6901989603 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -55,6 +55,10 @@ Bug Fixes
   uninterrupted time spent by resolving long cached chains of domain names.
   :gl:`#4185`
 
+- Ignore :any:`max-zone-ttl` for :any:`dnssec-policy` "insecure",
+  otherwise some zones will not be loaded if they use a TTL value larger
+  than 86400. :gl:`#4032`.
+
 Known Issues
 ~~~~~~~~~~~~