diff --git a/CHANGELOG.md b/CHANGELOG.md
index 98d8bfbcc4..75a1c84537 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 ### Changed
 - Updated `t3c` to request less unnecessary deliveryservice-server assignment and invalidation jobs data via new query params supported by Traffic Ops
 - [#6179](https://github.com/apache/trafficcontrol/issues/6179) Updated the Traffic Ops rpm to include the `ToDnssecRefresh` binary and make the `trafops_dnssec_refresh` cron job use it
+- Changed the DNSSEC refresh Traffic Ops API to only create a new change log entry if any keys were actually refreshed or an error occurred (in order to reduce changelog noise)
 - [#5927](https://github.com/apache/trafficcontrol/issues/5927) Updated CDN-in-a-Box to not run a Riak container by default but instead only run it if the optional flag is provided.
 
 ### Deprecated
diff --git a/traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go b/traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go
index 015fc1adbb..4db4e240f2 100644
--- a/traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go
+++ b/traffic_ops/traffic_ops_golang/cdn/dnssecrefresh.go
@@ -185,6 +185,7 @@ func doDNSSECKeyRefresh(tx *sql.Tx, asyncDB *sqlx.DB, tv trafficvault.TrafficVau
 
 	errCount := 0
 	updateCount := 0
+	putErr := false
 	for _, cdnInf := range cdnDNSSECKeyParams {
 		keys, ok, err := tv.GetDNSSECKeys(string(cdnInf.CDNName), tx, context.Background()) // TODO get all in a map beforehand
 		if err != nil {
@@ -327,19 +328,25 @@ func doDNSSECKeyRefresh(tx *sql.Tx, asyncDB *sqlx.DB, tv trafficvault.TrafficVau
 		if updateCount > 0 {
 			if err := tv.PutDNSSECKeys(string(cdnInf.CDNName), keys, tx, context.Background()); err != nil {
 				log.Errorln("refreshing DNSSEC Keys: putting keys into Traffic Vault for cdn '" + string(cdnInf.CDNName) + "': " + err.Error())
-				errCount++
+				putErr = true
 			}
 		}
 	}
 	clMsg := fmt.Sprintf("Refreshed %d DNSSEC keys", updateCount)
 	status := api.AsyncSucceeded
 	msg := fmt.Sprintf("DNSSEC refresh completed successfully (%d keys were updated)", updateCount)
-	if errCount > 0 {
+	if putErr {
+		status = api.AsyncFailed
+		msg = fmt.Sprintf("DNSSEC refresh failed (attempted to update %d keys, but an error occurred while attempting to store in Traffic Vault)", updateCount)
+		clMsg = fmt.Sprintf("Attempted to refresh %d DNSSEC keys, but an error occurred while attempting to store in Traffic Vault", updateCount)
+	} else if errCount > 0 {
 		status = api.AsyncFailed
-		msg = fmt.Sprintf("DNSSEC refresh failed (%d keys were updated, but %d errors occurred)", updateCount, errCount)
+		msg = fmt.Sprintf("DNSSEC refresh failed (updated %d keys, but %d errors occurred)", updateCount, errCount)
 		clMsg = fmt.Sprintf("Refreshed %d DNSSEC keys, but %d errors occurred", updateCount, errCount)
 	}
-	api.CreateChangeLogRawTx(api.ApiChange, clMsg, user, tx)
+	if updateCount > 0 || errCount > 0 || putErr {
+		api.CreateChangeLogRawTx(api.ApiChange, clMsg, user, tx)
+	}
 	if asyncErr := api.UpdateAsyncStatus(asyncDB, status, msg, jobID, true); asyncErr != nil {
 		log.Errorf("updating async status for id %d: %v", jobID, asyncErr)
 	}