diff --git a/CHANGES b/CHANGES
index 3b990f5764..84f3caf0e5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+6359.	[bug]		Fix bug in Depends (keymgr_dep) function. [GL #4552]
+
 6358.	[bug]		Fix validate_dnskey_dsset when KSK is not signing,
 			do not skip remainder of DS RRset. [GL #4625]
 
diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c
index cc59e42c0b..c26d517d4c 100644
--- a/lib/dns/keymgr.c
+++ b/lib/dns/keymgr.c
@@ -630,6 +630,13 @@ keymgr_dep(dst_key_t *k, dns_dnsseckeylist_t *keyring, uint32_t *dep) {
 		 * Check if k is a direct successor of d, e.g. d depends on k.
 		 */
 		if (keymgr_direct_dep(d->key, k)) {
+			dst_key_state_t hidden[NUM_KEYSTATES] = {
+				HIDDEN, HIDDEN, HIDDEN, HIDDEN
+			};
+			if (keymgr_key_match_state(d->key, k, NA, NA, hidden)) {
+				continue;
+			}
+
 			if (dep != NULL) {
 				*dep = dst_key_id(d->key);
 			}