Tweak and reword release notes

doc/notes/notes-current.rst

@@ -14,15 +14,15 @@ Notes for BIND 9.17.17
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- Named failed to check the opcode of responses when performing refresh,
-  stub updates, and UPDATE forwarding.  This could lead to an assertion
-  failure under particular conditions.  This has been addressed by checking
-  the opcode of those responses and rejecting the messages if they don't
-  match the expected value. :gl:`#2762`
+- ``named`` failed to check the opcode of responses when performing zone
+  refreshes, stub zone updates, and UPDATE forwarding. This could lead
+  to an assertion failure under certain conditions and has been
+  addressed by rejecting responses whose opcode does not match the
+  expected value. :gl:`#2762`
 
-- Fix an assertion failure that occured in ``named`` when attempting to send
-  a UDP packet exceeding the MTU size if rate-limiting was enabled.
-  (CVE-2021-25218) :gl:`#2839`
+- Fixed an assertion failure that occurred in ``named`` when it
+  attempted to send a UDP packet that exceeded the MTU size, if
+  Response Rate Limiting (RRL) was enabled. (CVE-2021-25218) :gl:`#2856`
 
 Known Issues
 ~~~~~~~~~~~~
@@ -32,12 +32,13 @@ Known Issues
 New Features
 ~~~~~~~~~~~~
 
-- It is now possible to set a hard quota on the number of concurrent DoH
-  connections, and the number of active HTTP/2 streams per connection,
-  by using the ``http-listener-clients`` and ``http-streams-per-connection``
-  options, or the ``listener-clients`` and ``streams-per-connection``
-  parameters to an ``http`` statement. The defaults are 300 and 100
-  respectively. :gl:`#2809`
+- It is now possible to set a hard quota on both the number of
+  concurrent DNS-over-HTTPS (DoH) connections and the number of active
+  HTTP/2 streams per connection, by using the ``http-listener-clients``
+  and ``http-streams-per-connection`` options, or the
+  ``listener-clients`` and ``streams-per-connection`` parameters in an
+  ``http`` statement. The defaults are 300 and 100, respectively.
+  :gl:`#2809`
 
 - Add support for HTTPS and SVCB record types. :gl:`#1132`
 
@@ -49,28 +50,29 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- DNS over HTTPS support can be disabled at the compile time via the new
-  configuration option ``--disable-doh``.  This allows BIND 9 to be
-  compiled without libnghttp2 library. :gl:`#2478`
+- DNS-over-HTTPS (DoH) support can now be disabled at compile time using
+  a new build-time option, ``--disable-doh``. This allows BIND 9 to be
+  built without the libnghttp2 library. :gl:`#2478`
 
-- Memory allocation has been substantially refactored, and is now based on
-  the memory allocation API provided by the `jemalloc` library on platforms
-  where it is available. This library is now recommended for building BIND 9.
-  :gl:`#2433`
+- Memory allocation has been substantially refactored; it is now based
+  on the memory allocation API provided by the jemalloc library, on
+  platforms where it is available. Use of this library is now
+  recommended when building BIND 9; although it is optional, it is
+  enabled by default. :gl:`#2433`
 
-- Previously, named accepted FORMERR responses both with and without
+- Previously, ``named`` accepted FORMERR responses both with and without
   an OPT record, as an indication that a given server did not support
-  EDNS. To implement full compliance with RFC 6891, only FORMERR
+  EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
   responses without an OPT record are now accepted. This intentionally
-  breaks communication with servers that do not support EDNS and
-  that incorrectly echo back the query message with the RCODE field
-  set to FORMERR and the QR bit set to 1. :gl:`#2249`
+  breaks communication with servers that do not support EDNS and that
+  incorrectly echo back the query message with the RCODE field set to
+  FORMERR and the QR bit set to 1. :gl:`#2249`
 
-- CDS and CDNSKEY records may now be published in a zone without the
-  requirement that they exactly match an existing DNSKEY record, so long
-  the zone is signed with an algorithm represented in the CDS or CDNSKEY
-  record.  This allows a clean rollover from one DNS provider to another
-  when using a multiple-signer DNSSEC configuration. :gl:`#2710`
+- CDS and CDNSKEY records can now be published in a zone without the
+  requirement that they exactly match an existing DNSKEY record, as long
+  as the zone is signed with an algorithm represented in the CDS or
+  CDNSKEY record. This allows a clean rollover from one DNS provider to
+  another when using a multiple-signer DNSSEC configuration. :gl:`#2710`
 
 - ``dnssec-signzone`` is now able to retain signatures from inactive
   predecessor keys without introducing additional signatures from the successor
@@ -80,14 +82,13 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- Testing revealed that setting the thread affinity on both the netmgr
-  and netthread threads led to inconsistent recursive performance, as
-  sometimes the netmgr and netthread threads competed over a single
-  resource.
+- Testing revealed that setting the thread affinity for various types of
+  ``named`` threads led to inconsistent recursive performance, as
+  sometimes multiple sets of threads competed over a single resource.
 
-  When the affinity is not set, tests show a slight dip in the authoritative
-  performance of around 5% (ranging from 3.8% to 7.8%), but
-  the recursive performance is now consistently improved. :gl:`#2822`
+  Due to the above, ``named`` no longer sets thread affinity. This
+  causes a slight dip of around 5% in authoritative performance, but
+  recursive performance is now consistently improved. :gl:`#2822`
 
 - When following QNAME minimization, BIND could use a stale zonecut from cache 
   to resolve the query, resulting in a non-minimized query. This has been