diff --git a/CHANGES b/CHANGES
index f339864482..909168b351 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5108.	[bug]		Named could fail to determine bottom of zone when
+			removing out of date keys leading to invalid NSEC
+			and NSEC3 records being added to the zone. [GL #771]
+
 5107.	[bug]		'host -U' did not work.	[GL #769]
 
 5106.	[experimental]	A new "plugin" mechanism has been added to allow
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 8d707fb2e0..beb8ca1e17 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -126,6 +126,20 @@
 	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  Code change #4964, intended to prevent double signatures
+	  when deleting an inactive zone DNSKEY in some situations,
+	  introduced a new problem during zone processing in which
+	  some delegation glue RRsets are incorrectly identified
+	  as needing RRSIGs, which are then created for them using
+	  the current active ZSK for the zone. In some, but not all
+	  cases, the newly-signed RRsets are added to the zone's
+	  NSEC/NSEC3 chain, but incompletely -- this can result in
+	  a broken chain, affecting validation of proof of nonexistence
+	  for records in the zone. [GL #771]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>