Tweak and reword release notes

doc/notes/notes-current.rst

@@ -24,7 +24,7 @@ Known Issues
 New Features
 ~~~~~~~~~~~~
 
-- Add support for HTTPS and SVCB record types. :gl:`#1132`
+- Support for HTTPS and SVCB record types has been added. :gl:`#1132`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
@@ -35,13 +35,21 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- ``dnssec-signzone`` is now able to retain signatures from inactive
+- When ``dnssec-signzone`` signs a zone using a successor key whose
-  predecessor keys without introducing additional signatures from the successor
+  predecessor is still published, it now only refreshes signatures for
-  key. This allows for a gradual replacement of RRSIGs as they reach expiry.
+  RRsets which have an invalid signature, an expired signature, or a
-  :gl:`#1551`
+  signature which expires within the provided cycle interval. This
+  allows ``dnssec-signzone`` to gradually replace signatures in a zone
+  whose ZSK is being rolled over (similarly to what ``auto-dnssec
+  maintain;`` does). :gl:`#1551`
 
-- SHA-1 CDS records are no longer used by ``dnssec-cds`` to make DS
+- ``dnssec-cds`` now only generates SHA-2 DS records by default and
-  records. Thanks to Tony Finch. :gl:`!2946`
+  avoids copying deprecated SHA-1 records from a child zone to its
+  delegation in the parent. If the child zone does not publish SHA-2 CDS
+  records, ``dnssec-cds`` will generate them from the CDNSKEY records.
+  The ``-a algorithm`` option now affects the process of generating DS
+  digest records from both CDS and CDNSKEY records. Thanks to Tony
+  Finch. :gl:`#2871`
 
 - ``named`` and ``named-checkconf`` now issue a warning when there is a single
   configured port in the ``query-source``, ``transfer-source``,
@@ -58,19 +66,21 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- When following QNAME minimization, BIND could use a stale zonecut from cache 
+- Stale data in the cache could cause ``named`` to send non-minimized
-  to resolve the query, resulting in a non-minimized query. This has been
+  queries despite QNAME minimization being enabled. This has been fixed.
-  fixed :gl:`#2665`
+  :gl:`#2665`
 
-- Migrate a single key to CSK when reconfiguring a zone to make use of
+- When a DNSSEC-signed zone which only has a single signing key
-  'dnssec-policy' :gl:`#2857`
+  available is migrated to ``dnssec-policy``, that key is now treated as
+  a Combined Signing Key (CSK). :gl:`#2857`
 
 - A recent change to the internal memory structure of zone databases
-  inadvertently neglected to update the MAPAPI value for ``map``-format
+  inadvertently neglected to update the MAPAPI value for zone files in
-  zone files. This caused ``named`` to attempt to load files into memory
+  ``map`` format. This caused version 9.17.17 of ``named`` to attempt to
-  that were no longer compatible, triggering an assertion failure on
+  load files into memory that were no longer compatible, triggering an
-  startup. The MAPAPI value has now been updated, so ``named`` will
+  assertion failure on startup. The MAPAPI value has now been updated,
-  reject outdated files when encountering them. :gl:`#2872`
+  so ``named`` rejects outdated files when encountering them.
+  :gl:`#2872`
 
 - When new IP addresses were added to the system during ``named``
   startup, ``named`` failed to listen on TCP for the newly added