diff --git a/CHANGES b/CHANGES
index 28aef3bef5..89f9500843 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5588.	[func]		Add "purge-keys" option to "dnssec-policy". This sets
+			the time how long key files should be retained after
+			they have become obsolete. [GL #2408]
+
 5587.	[bug]		A standalone libtool script no longer needs to be
 			present in PATH in order to build BIND 9 from a source
 			tarball prepared using "make dist". [GL #2504]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 508fbb0226..c08c6f6954 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -26,6 +26,11 @@ New Features
 
 - None.
 
+- A new option, ``purge-keys``, has been added to ``dnssec-policy``. It sets
+  the time how long key files should be retained after they have become
+  obsolete (due to a key rollover). Default is 90 days, and the feature can
+  be disabled by setting it to 0. [GL #2408]
+
 Removed Features
 ~~~~~~~~~~~~~~~~