diff --git a/ChangeLog.d/issue4361.txt b/ChangeLog.d/issue4361.txt
index 670c8a6580..f1dbb3f195 100644
--- a/ChangeLog.d/issue4361.txt
+++ b/ChangeLog.d/issue4361.txt
@@ -1,2 +1,3 @@
 Removals
-   * Remove the MBEDTLS_SSL_RECORD_CHECKING option. Fixes #4361.
+   * Remove the MBEDTLS_SSL_RECORD_CHECKING option and enable by default its
+     previous action. Fixes #4361.
diff --git a/docs/3.0-migration-guide.d/remove_ssl_record_checking.md b/docs/3.0-migration-guide.d/remove_ssl_record_checking.md
new file mode 100644
index 0000000000..a1b8a5757b
--- /dev/null
+++ b/docs/3.0-migration-guide.d/remove_ssl_record_checking.md
@@ -0,0 +1,13 @@
+Remove MBEDTLS_SSL_RECORD_CHECKING option and enable its action by default
+--------------------------------------------------------------------------
+
+This change does not affects users who use the default config.h, as the
+option MBEDTLS_SSL_RECORD_CHECKING was already on by default.
+
+This option was added only to controls compilation of one function
+(mbedtls_ssl_check_record()) used in DTLS to check a buffer's validity and
+authenticity. Switching it off poses a security risk.
+
+For users who changed the default setting of the option there is no real path
+of migration.
+