diff --git a/CHANGES b/CHANGES
index f8b2ab0343..587bd10c72 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5230.	[protocol]	The SHA-1 hash algorithm is no longer used when
+			generating DS and CDS records. [GL #1015]
+
 5229.	[protocol]	Enforce known SSHFP fingerprint lengths. [GL #852]
 
 5228.	[func]		If trusted-keys and managed-keys were configured
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 2781c728a8..732da2f8da 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -144,6 +144,21 @@
 	  configuration error. [GL #868]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  DS and CDS records are now generated with SHA-256 digests
+	  only, instead of both SHA-1 and SHA-256. This affects the
+	  default output of <command>dnssec-dsfromkey</command>, the
+	  <filename>dsset</filename> files generated by
+	  <command>dnssec-signzone</command>, the DS records added to
+	  a zone by <command>dnssec-signzone</command> based on
+	  <filename>keyset</filename> files, the CDS records added to
+	  a zone by <command>named</command> and
+	  <command>dnssec-signzone</command> based on "sync" timing
+	  parameters in key files, and the checks performed by
+	  <command>dnssec-checkds</command>.
+	</para>
+      </listitem>
     </itemizedlist>
   </section>