diff --git a/CHANGES b/CHANGES
index 13d9e9fe3b..188bbd6158 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+5925.	[bug]		With a forwarder configured for all queries, resolution
+			failures encountered during DS chasing could trigger
+			assertion failures due to a logic bug in
+			resume_dslookup() that caused it to call
+			dns_resolver_createfetch() with an invalid name.
+			[GL #3439]
+
 5924.	[func]		When it's necessary to use AXFR to respond to an
 			IXFR request, a message explaining the reason
 			is now logged at level info. [GL #2683]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 70ae09d0bf..3f3ed47efe 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -40,6 +40,12 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
+- When running as a validating resolver forwarding all queries to
+  another resolver, :iscman:`named` could crash with an assertion
+  failure. These crashes occurred when the configured forwarder sent a
+  broken DS response and :iscman:`named` failed its attempts to find a
+  proper one instead. This has been fixed. :gl:`#3439`
+
 - Non-dynamic zones that inherit dnssec-policy from the view or
   options level were not marked as inline-signed, and thus were never
   scheduled to be re-signed. This is now fixed. :gl:`#3438`