diff --git a/CHANGES b/CHANGES
index caa56b09c9..b773b38458 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+5806.	[bug]		An error in checking the "blackhole" ACL could cause
+			DNS requests sent by named to fail if the
+			destination address or prefix was specifically
+			excluded from the ACL. [GL #3157]
+
 5805.	[func]		The result of each resolver priming attempt is now
 			included in the "resolver priming query complete" log
 			message. [GL #3139]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ded784f7a7..c9ae25023b 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -62,3 +62,11 @@ Bug Fixes
 
 - Build errors were introduced in some DLZ modules due to an incomplete
   change in the previous release. This has been fixed. :gl:`#3111`
+
+- An error in the processing of the ``blackhole`` ACL could cause some DNS
+  requests sent by ``named`` to fail - for example, zone transfer requests
+  and SOA refresh queries - if the destination address or prefix was
+  specifically excluded from the ACL using ``!``, or if the ACL was set
+  to ``none``.  ``blackhole`` worked correctly when it was left unset, or
+  if only positive-match elements were included. This has now been fixed.
+  :gl:`#3157`