diff --git a/CHANGES b/CHANGES
index 5c8236d6f9..8e279f5d93 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5899.	[func]		Don't try to process DNSSEC-related and ZONEMD records
+			in catz. [GL #3380]
+
 5896.	[func]		Add some more dnssec-policy checks to detect weird
 			policies. [GL #1611]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 3a6ddd8b5d..0d5399df98 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -45,3 +45,6 @@ Bug Fixes
 - Key files were updated every time the ``dnssec-policy`` key manager ran,
   whether the metadata has changed or not. BIND now checks if changes were
   applied before writing out the key files. :gl:`#3302`.
+
+- DNSSEC-signed catalog zones were not being processed correctly. This
+  has been fixed. :gl:`#3380`.
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 23cc7897ab..6037d32ad2 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -2100,6 +2100,12 @@ cleanup:
 	return (result);
 }
 
+static bool
+catz_rdatatype_is_processable(const dns_rdatatype_t type) {
+	return (!dns_rdatatype_isdnssec(type) && type != dns_rdatatype_cds &&
+		type != dns_rdatatype_cdnskey && type != dns_rdatatype_zonemd);
+}
+
 void
 dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 	dns_catz_zone_t *oldzone = NULL, *newzone = NULL;
@@ -2242,6 +2248,17 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, &rdataset);
+
+			/*
+			 * Skip processing DNSSEC-related and ZONEMD types,
+			 * because we are not interested in them in the context
+			 * of a catalog zone, and processing them will fail
+			 * and produce an unnecessary warning message.
+			 */
+			if (!catz_rdatatype_is_processable(rdataset.type)) {
+				goto next;
+			}
+
 			result = dns_catz_update_process(catzs, newzone, name,
 							 &rdataset);
 			if (result != ISC_R_SUCCESS) {
@@ -2263,6 +2280,7 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
 					      cname, classbuf, typebuf,
 					      isc_result_totext(result));
 			}
+		next:
 			dns_rdataset_disassociate(&rdataset);
 			result = dns_rdatasetiter_next(rdsiter);
 		}