diff --git a/CHANGES b/CHANGES
index 8489ac2fba..6e77ae3e0e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -31,51 +31,55 @@
 			"controls" statement was configured with multiple
 			key algorithms in the same listener. [GL #2756]
 
-5671.	[bug]		Fix a race condition where two threads are competing for
-			the same set of key file locks, that could lead to a
-			deadlock. This has been fixed. [GL #2786]
+	--- 9.16.19 released ---
 
-5670.	[bug]		Handle place holder KEYDATA records. [GL #2769]
+5671.	[bug]		A race condition could occur where two threads were
+			competing for the same set of key file locks, leading to
+			a deadlock. This has been fixed. [GL #2786]
 
-5669.	[func]		Add 'checkds' feature. Zones with "dnssec-policy" and
-			"parental-agents" configured will check for DS presence
-			and are able to perform automatic KSK rollover.
-			[GL #1126]
+5670.	[bug]		create_keydata() created an invalid placeholder keydata
+			record upon a refresh failure, which prevented the
+			database of managed keys from subsequently being read
+			back. This has been fixed. [GL #2686]
 
-5668.	[bug]		When a zone fails to load on startup, the setnsec3param
-			task is rescheduled. This caused a hang on shutdown, and
-			is now fixed. [GL #2791]
+5669.	[func]		KASP support was extended with the "check DS" feature.
+			Zones with "dnssec-policy" and "parental-agents"
+			configured now check for DS presence and can perform
+			automatic KSK rollovers. [GL #1126]
+
+5668.	[bug]		Rescheduling a setnsec3param() task when a zone failed
+			to load on startup caused a hang on shutdown. This has
+			been fixed. [GL #2791]
 
 5667.	[bug]		The configuration-checking code failed to account for
 			the inheritance rules of the "dnssec-policy" option.
-			[GL #2780]
+			This has been fixed. [GL #2780]
 
-5666.	[func]		Tweak the safe "edns-udp-size" to match the probing
-			value from BIND 9.16 for better compatibility. Also
-			``named`` now sets the DON'T FRAGMENT flag on outgoing
-			UDP packets. [GL #2183]
+5666.	[doc]		The safe "edns-udp-size" value was tweaked to match the
+			probing value from BIND 9.16 for better compatibility.
+			[GL #2183]
 
-5665.	[bug]		'nsupdate' did not retry with another server if
-			it received a REFUSED response. [GL #2758]
+5665.	[bug]		If nsupdate sends an SOA request and receives a REFUSED
+			response, it now fails over to the next available
+			server. [GL #2758]
 
-5664.	[func]		Handle a UDP sending error on UDP messages larger
-			than the path MTU; in such a case an empty response is
-			sent back with the TC (TrunCated) bit set. Re-enable
-			setting the DF (Don't Fragment) flag on outgoing
-			UDP sockets. [GL #2790]
+5664.	[func]		For UDP messages larger than the path MTU, named now
+			sends an empty response with the TC (TrunCated) bit set.
+			In addition, setting the DF (Don't Fragment) flag on
+			outgoing UDP sockets was re-enabled. [GL #2790]
 
 5662.	[bug]		Views with recursion disabled are now configured with a
-			default cache size of 2 MB, unless "max-cache-size" is
+			default cache size of 2 MB unless "max-cache-size" is
 			explicitly set. This prevents cache RBT hash tables from
 			being needlessly preallocated for such views. [GL #2777]
 
-5661.	[bug]		A deadlock was introduced when fixing [GL #1875] because
-			when locking the key file mutex for each zone structure
-			that is in a different view, "in-view" logic was not
-			taken into account. This has been fixed. [GL #2783]
+5661.	[bug]		Change 5644 inadvertently introduced a deadlock: when
+			locking the key file mutex for each zone structure in a
+			different view, the "in-view" logic was not considered.
+			This has been fixed. [GL #2783]
 
 5658.	[bug]		Increasing "max-cache-size" for a running named instance
-			(using "rndc reconfig") was not causing the hash tables
+			(using "rndc reconfig") did not cause the hash tables
 			used by cache databases to be grown accordingly. This
 			has been fixed. [GL #2770]
 
@@ -85,9 +89,8 @@
 			CNAME chaining were required to prepare the response.
 			This has been fixed. [GL #2759]
 
-5653.	[bug]		Fixed a bug that caused the NSEC3 salt to be changed
-			for KASP zones on restart.
-			[GL #2725]
+5653.	[bug]		A bug that caused the NSEC3 salt to be changed on every
+			restart for zones using KASP has been fixed. [GL #2725]
 
 	--- 9.16.18 released ---
 
@@ -158,6 +161,11 @@
 			incorrectly accepted at those levels without effect.
 			This has been fixed. [GL #2536]
 
+5624.	[func]		Task manager events are now processed inside network
+			manager loops. The task manager no longer needs its own
+			set of worker threads, which improves resolver
+			performance. [GL #2638]
+
 	--- 9.16.16 released ---
 
 5637.	[func]		Change the default value of the "max-ixfr-ratio" option
diff --git a/bin/tests/system/checkds/prereq.sh b/bin/tests/system/checkds/prereq.sh
new file mode 100644
index 0000000000..4b122c9bf0
--- /dev/null
+++ b/bin/tests/system/checkds/prereq.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+if test -n "$PYTHON"
+then
+    if $PYTHON -c "from dns.query import send_tcp" 2> /dev/null
+    then
+        :
+    else
+        echo_i "This test requires the dnspython >= 2.0.0 module." >&2
+        exit 1
+    fi
+else
+    echo_i "This test requires Python and the dnspython module." >&2
+    exit 1
+fi
+
+exit 0
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 767a3ce6ca..2fe3b4ec5a 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -60,6 +60,7 @@ information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.19.rst
 .. include:: ../notes/notes-9.16.18.rst
 .. include:: ../notes/notes-9.16.17.rst
 .. include:: ../notes/notes-9.16.16.rst
diff --git a/doc/notes/notes-9.16.11.rst b/doc/notes/notes-9.16.11.rst
index ae09f8859c..45d0ff7e59 100644
--- a/doc/notes/notes-9.16.11.rst
+++ b/doc/notes/notes-9.16.11.rst
@@ -24,7 +24,7 @@ Feature Changes
   incoming queries among multiple threads). However, the only operating
   systems currently known to support load-balanced sockets are Linux and
   FreeBSD 12, which means both UDP and TCP performance were limited to a
-  single thread on other systems. As of BIND 9.17.8, ``named`` attempts
+  single thread on other systems. As of BIND 9.16.11, ``named`` attempts
   to distribute incoming queries among multiple threads on systems which
   lack support for load-balanced sockets (except Windows). :gl:`#2137`
 
diff --git a/doc/notes/notes-9.16.19.rst b/doc/notes/notes-9.16.19.rst
new file mode 100644
index 0000000000..bfcd74bd5a
--- /dev/null
+++ b/doc/notes/notes-9.16.19.rst
@@ -0,0 +1,60 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.16.19
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Using a new configuration option, ``parental-agents``, each zone can
+  now be associated with a list of servers that can be used to check the
+  DS RRset in the parent zone. This enables automatic KSK rollovers.
+  :gl:`#1126`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- IP fragmentation has been disabled for outgoing UDP sockets. Errors
+  triggered by sending DNS messages larger than the specified path MTU
+  are properly handled by sending empty DNS replies with the ``TC``
+  (TrunCated) bit set, which forces DNS clients to fall back to TCP.
+  :gl:`#2790`
+
+Bug Fixes
+~~~~~~~~~
+
+- The code managing :rfc:`5011` trust anchors created an invalid
+  placeholder keydata record upon a refresh failure, which prevented the
+  database of managed keys from subsequently being read back. This has
+  been fixed. :gl:`#2686`
+
+- Signed, insecure delegation responses prepared by ``named`` either
+  lacked the necessary NSEC records or contained duplicate NSEC records
+  when both wildcard expansion and CNAME chaining were required to
+  prepare the response. This has been fixed. :gl:`#2759`
+
+- If ``nsupdate`` sends an SOA request and receives a REFUSED response,
+  it now fails over to the next available server. :gl:`#2758`
+
+- A bug that caused the NSEC3 salt to be changed on every restart for
+  zones using KASP has been fixed. :gl:`#2725`
+
+- The configuration-checking code failed to account for the inheritance
+  rules of the ``dnssec-policy`` option. This has been fixed.
+  :gl:`#2780`
+
+- The fix for :gl:`#1875` inadvertently introduced a deadlock: when
+  locking key files for reading and writing, the ``in-view`` logic was
+  not considered. This has been fixed. :gl:`#2783`
+
+- A race condition could occur where two threads were competing for the
+  same set of key file locks, leading to a deadlock. This has been
+  fixed. :gl:`#2786`
diff --git a/doc/notes/notes-9.16.8.rst b/doc/notes/notes-9.16.8.rst
index eb789f6143..2ca95d4e61 100644
--- a/doc/notes/notes-9.16.8.rst
+++ b/doc/notes/notes-9.16.8.rst
@@ -33,7 +33,7 @@ Feature Changes
   MTU minus the estimated header space. In practice, the smallest MTU
   witnessed in the operational DNS community is 1500 octets, the maximum
   Ethernet payload size, so a useful default for maximum DNS/UDP payload
-  size on reliable networks would be 1400 bytes. :gl:`#2183`
+  size on reliable networks would be 1432 bytes. :gl:`#2183`
 
 Bug Fixes
 ~~~~~~~~~
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 00beeb5553..7544bffda6 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -8,14 +8,12 @@
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
 
-Notes for BIND 9.16.19
+Notes for BIND 9.16.20
 ----------------------
 
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- None.
-
 - Named failed to check the opcode of responses when performing refresh,
   stub updates, and UPDATE forwarding.  This could lead to an assertion
   failure under particular conditions.  This has been addressed by checking
@@ -30,9 +28,7 @@ Known Issues
 New Features
 ~~~~~~~~~~~~
 
-- Automatic KSK rollover: A new configuration option ``parental-agents`` is
-  added to add a list of servers to a zone that can be used for checking DS
-  presence. :gl:`#1126`
+- None.
 
 Removed Features
 ~~~~~~~~~~~~~~~~
@@ -42,21 +38,6 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- IP fragmentation on outgoing UDP sockets has been disabled.  Errors from
-  sending DNS messages larger than the specified path MTU are properly handled;
-  ``named`` now sends back empty DNS messages with the TC (TrunCated) bit set,
-  forcing the DNS client to fall back to TCP.  :gl:`#2790`
-
-  ``named`` now sets the DON'T FRAGMENT flag on outgoing UDP packets.  According
-  to the measurements done by multiple parties this should not be causing any
-  operational problems as most of the Internet "core" is able to cope with IP
-  message sizes between 1400-1500 bytes, the 1232 size was picked as a
-  conservative minimal number that could be changed by the DNS operator to a
-  estimated path MTU minus the estimated header space. In practice, the smallest
-  MTU witnessed in the operational DNS community is 1500 octets, the Ethernet
-  maximum payload size, so a a useful default for maximum DNS/UDP payload size
-  on reliable networks would be 1432. [GL #2183]
-
 - CDS and CDNSKEY records may now be published in a zone without the
   requirement that they exactly match an existing DNSKEY record, so long
   the zone is signed with an algorithm represented in the CDS or CDNSKEY
@@ -66,21 +47,6 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- Fixed a bug that caused the NSEC salt to be changed for KASP zones on
-  every startup. :gl:`#2725`
-
-- Signed, insecure delegation responses prepared by ``named`` either
-  lacked the necessary NSEC records or contained duplicate NSEC records
-  when both wildcard expansion and CNAME chaining were required to
-  prepare the response. This has been fixed. :gl:`#2759`
-
-- A deadlock at startup was introduced when fixing :gl:`#1875` because when
-  locking key files for reading and writing, "in-view" logic was not taken into
-  account. This has been fixed. :gl:`#2783`
-
-- Fix a race condition where two threads are competing for the same set of key
-  file locks, that could lead to a deadlock. This has been fixed. :gl:`#2786`
-
 - Testing revealed that setting the thread affinity on both the netmgr
   and netthread threads led to inconsistent recursive performance, as
   sometimes the netmgr and netthread threads competed over a single
diff --git a/util/copyrights b/util/copyrights
index 432bc11ea5..ca167f66c3 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -368,6 +368,7 @@
 ./bin/tests/system/checkds/ns2/setup.sh		SH	2021
 ./bin/tests/system/checkds/ns5/setup.sh		SH	2021
 ./bin/tests/system/checkds/ns9/setup.sh		SH	2021
+./bin/tests/system/checkds/prereq.sh		SH	2021
 ./bin/tests/system/checkds/setup.sh		SH	2021
 ./bin/tests/system/checkds/tests-checkds.py	PYTHON-BIN	2021
 ./bin/tests/system/checkdstool/clean.sh		SH	2012,2013,2014,2016,2017,2018,2019,2020,2021
diff --git a/version b/version
index 03f3192a4e..d4a355fd51 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Stable Release)"
 MAJORVER=9
 MINORVER=16
-PATCHVER=18
+PATCHVER=19
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=