diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index ca8344ac80..39c37fb85a 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -47,12 +47,12 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- The GSSAPI no longer uses the ISC implementation of the SPNEGO
-  mechanism and instead relies on the SPNEGO implementation from the
-  system Kerberos library. All major Kerberos libraries contain the
-  SPNEGO mechanism implementation. This change was implemented in BIND
-  9.17.2, but it was not included in the release notes at the time.
-  [GL #2607]
+- The ISC implementation of SPNEGO was removed from BIND 9 source code.
+  Instead, BIND 9 now always uses the SPNEGO implementation provided by
+  the system GSSAPI library when it is built with GSSAPI support. All
+  major contemporary Kerberos/GSSAPI libraries contain an implementation
+  of the SPNEGO mechanism. This change was introduced in BIND 9.17.2,
+  but it was not included in the release notes at the time. [GL #2607]
 
 - The default value for the ``stale-answer-client-timeout`` option was
   changed from ``1800`` (ms) to ``off``. The default value may be
@@ -67,38 +67,40 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- When calling ``rndc dnssec -rollover`` or ``rndc checkds -checkds``,
-  ``named`` now updates the keys immediately, avoiding unnecessary rollover
-  delays. [#2488]
+- After ``rndc checkds -checkds`` or ``rndc dnssec -rollover`` is used,
+  ``named`` now immediately attempts to reconfigure zone keys. This
+  change prevents unnecessary key rollover delays. [GL #2488]
 
-- Dynamic zones with ``dnssec-policy`` that were frozen could not be thawed.
-  This has been fixed. [GL #2523]
+- Zones using KASP could not be thawed after they were frozen using
+  ``rndc freeze``. This has been fixed. [GL #2523]
 
-- CDS/CDNSKEY DELETE records are now removed when a zone transitioned from
-  secure to insecure. "named-checkzone" no longer complains if such records
-  exist in an unsigned zone. [GL #2517]
+- CDS/CDNSKEY DELETE records are now removed when a zone transitions
+  from a secure to an insecure state. ``named-checkzone`` also no longer
+  reports an error when such records are found in an unsigned zone.
+  [GL #2517]
 
-- Fix a crash when transferring a zone over TLS, after "named" previously
-  skipped a master. [GL #2562]
+- ``named`` crashed after skipping a primary server while transferring a
+  zone over TLS. This has been fixed. [GL #2562]
 
-- It was discovered that the TCP idle and initial timeouts were incorrectly
-  applied in the BIND 9.16 and 9.17 branches. Only the ``tcp-initial-timeout``
-  was applied on the whole connection, even if the connection were still active,
-  which could cause a large zone transfer to be sent back to the client. The
-  default setting for ``tcp-initial-timeout`` was 30 seconds, which meant that
-  any TCP connection taking more than 30 seconds was abruptly terminated. This
-  has been fixed. [GL #2573]
+- TCP idle and initial timeouts were being incorrectly applied: only the
+  ``tcp-initial-timeout`` was applied on the whole connection, even if
+  the connection were still active, which could prevent a large zone
+  transfer from being sent back to the client. The default setting for
+  ``tcp-initial-timeout`` was 30 seconds, which meant that any TCP
+  connection taking more than 30 seconds was abruptly terminated. This
+  has been fixed. [GL #2583]
 
 - When ``stale-answer-client-timeout`` was set to a positive value and
-  recursion for a client query completed when ``named`` was about to look for
-  a stale answer, an assertion could fail in ``query_respond()``, resulting in
-  a crash. This has been fixed. [GL #2594]
+  recursion for a client query completed when ``named`` was about to
+  look for a stale answer, an assertion could fail in
+  ``query_respond()``, resulting in a crash. This has been fixed.
+  [GL #2594]
 
-- After upgrading to the previous release, journal files for trust anchor
-  databases (e.g., ``managed-keys.bind.jnl``) could be left in a corrupt
-  state. (Other zone journal files were not affected.) This has been
-  fixed. If a corrupt journal file is detected, ``named`` can now recover
-  from it. [GL #2600]
+- After upgrading to the previous release, journal files for trust
+  anchor databases (e.g. ``managed-keys.bind.jnl``) could be left in a
+  corrupt state. (Other zone journal files were not affected.) This has
+  been fixed. If a corrupt journal file is detected, ``named`` can now
+  recover from it. [GL #2600]
 
 - When dumping the cache to file, TTLs were being increased with
   ``max-stale-ttl``. Also the comment above stale RRsets could have nonsensical