diff --git a/CHANGES b/CHANGES
index b70b4abcef..4b4d18e57d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5632.	[func]		Add built-in dnssec-policy "insecure". This is used to
+			transition a zone from a signed state to a unsigned
+			state. [GL #2645]
+
 5631.	[bug]		Update ZONEMD to match RFC 8976. [GL #2658]
 
 5630.	[func]		Treat DNSSEC responses with NSEC3 iterations greater
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 717b1a7540..423ecede42 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -41,7 +41,18 @@ Feature Changes
   configured in an NSEC3 zones to 150. :gl:`#2642`
 
 - Treat DNSSEC responses with NSEC3 iterations greater than 150 as insecure.
-  [GL #2445]
+  :gl:`#2445`
+
+- Implement ``draft-vandijk-dnsop-nsec-ttl``, NSEC(3) TTL values are now set to
+  the minimum of the SOA MINIMUM value and the SOA TTL. :gl:`#2347`
+
+- Zones that want to transition from secure to insecure mode without making it
+  bogus in the process should now first change their ``dnssec-policy`` to
+  ``insecure`` (as opposed to ``none``). Only after the DNSSEC records have
+  been removed from the zone (in a timely manner), the ``dnssec-policy`` can
+  be set to ``none`` (or be removed from the configuration). Setting the
+  ``dnssec-policy`` to ``insecure`` will cause CDS and CDNSKEY DELETE records
+  to be published. :gl:`#2645`
 
 Bug Fixes
 ~~~~~~~~~