diff --git a/CHANGES b/CHANGES
index 97925d63dd..81f71ad52f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,6 +24,10 @@
 5821.	[bug]		Fix query context management issues in the TCP part
 			of dig. [GL #3184]
 
+5819.	[security]	Lookups involving a DNAME could trigger an INSIST when
+			"synth-from-dnssec" was enabled. (CVE-2022-0635)
+			[GL #3158]
+
 5818.	[security]	A synchronous call to closehandle_cb() caused
 			isc__nm_process_sock_buffer() to be called recursively,
 			which in turn left TCP connections hanging in the
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index c4a0fd18c6..005f209183 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -28,6 +28,12 @@ Security Fixes
   TCP sockets in the ``CLOSE_WAIT`` state when the client did not
   properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
 
+- Lookups involving a DNAME could trigger an assertion failure when
+  ``synth-from-dnssec`` was enabled (which is the default).
+  (CVE-2022-0635)
+
+  ISC would like to thank Vincent Levigneron from AFNIC for bringing
+  this vulnerability to our attention. :gl:`#3158`
 
 Known Issues
 ~~~~~~~~~~~~