21 files changed, 1696 insertions, 0 deletions
diff --git a/doc/notes/notes-9.18.0.rst b/doc/notes/notes-9.18.0.rst
new file mode 100644
index 0000000..68f8c9b
--- /dev/null
+++ b/doc/notes/notes-9.18.0.rst
@@ -0,0 +1,346 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.0
+---------------------
+
+.. note:: This section only lists changes since BIND 9.16.25, the most
+          recent release on the previous stable branch of BIND before
+          the publication of BIND 9.18.0.
+
+Known Issues
+~~~~~~~~~~~~
+
+- ``rndc`` has been updated to use the new BIND network manager API. As
+  the network manager currently has no support for UNIX-domain sockets,
+  those cannot now be used with ``rndc``. This will be addressed in a
+  future release, either by restoring UNIX-domain socket support or by
+  formally declaring them to be obsolete in the control channel.
+  :gl:`#1759`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- ``named`` now supports securing DNS traffic using Transport Layer
+  Security (TLS). TLS is used by both DNS over TLS (DoT) and
+  DNS over HTTPS (DoH).
+
+  ``named`` can use either a certificate provided by the user or an
+  ephemeral certificate generated automatically upon startup. The
+  :any:`tls` block allows fine-grained control over TLS
+  parameters. :gl:`#1840` :gl:`#2795` :gl:`#2796`
+
+  For debugging purposes, ``named`` logs TLS pre-master secrets when the
+  ``SSLKEYLOGFILE`` environment variable is set. This enables
+  troubleshooting of issues with encrypted traffic. :gl:`#2723`
+
+- Support for DNS over TLS (DoT) has been added to ``named``. Network
+  interfaces for DoT are configured using the existing
+  :ref:`listen-on <interfaces>` directive, while TLS parameters are
+  configured using the new :any:`tls` block. :gl:`#1840`
+
+  ``named`` supports :rfc:`zone transfers over TLS <9103>`
+  (XFR-over-TLS, XoT) for both incoming and outgoing zone transfers.
+
+  Incoming zone transfers over TLS are enabled by adding the :any:`tls`
+  keyword, followed by either the name of a previously configured
+  :any:`tls` block or the string ``ephemeral``, to the
+  addresses included in :any:`primaries` lists.
+  :gl:`#2392`
+
+  Similarly, the :any:`allow-transfer` option
+  was extended to accept additional ``port`` and ``transport``
+  parameters, to further restrict outgoing zone transfers to a
+  particular port and/or DNS transport protocol. :gl:`#2776`
+
+  Note that zone transfers over TLS (XoT) require the ``dot``
+  Application-Layer Protocol Negotiation (ALPN) token to be selected in
+  the TLS handshake, as required by :rfc:`9103` section 7.1. This might
+  cause issues with non-compliant XoT servers. :gl:`#2794`
+
+  The ``dig`` tool is now able to send DoT queries (``+tls`` option).
+  :gl:`#1840`
+
+  There is currently no support for forwarding DNS queries via DoT.
+
+- Support for DNS over HTTPS (DoH) has been added to ``named``. Both
+  TLS-encrypted and unencrypted connections are supported (the latter
+  may be used to offload encryption to other software). Network
+  interfaces for DoH are configured using the existing
+  :ref:`listen-on <interfaces>` directive, while TLS parameters are
+  configured using the new :any:`tls` block and HTTP
+  parameters are configured using the new :any:`http` block.
+  :gl:`#1144` :gl:`#2472`
+
+  Server-side quotas on both the number of concurrent DoH connections
+  and the number of active HTTP/2 streams per connection can be
+  configured using the global :any:`http-listener-clients` and
+  :any:`http-streams-per-connection` options, or the :any:`listener-clients`
+  and :any:`streams-per-connection` parameters in an
+  :any:`http block <http>`. :gl:`#2809`
+
+  The ``dig`` tool is now able to send DoH queries (``+https`` option).
+  :gl:`#1641`
+
+  There is currently no support for forwarding DNS queries via DoH.
+
+  DoH support can be disabled at compile time using a new build-time
+  option, ``--disable-doh``. This allows BIND 9 to be built without the
+  `libnghttp2`_ library. :gl:`#2478`
+
+- A new logging category, ``rpz-passthru``, was added, which allows RPZ
+  passthru actions to be logged into a separate channel. :gl:`#54`
+
+- A new option, ``nsdname-wait-recurse``, has been added to the
+  :any:`response-policy` clause in the configuration file. When set to
+  ``no``, RPZ NSDNAME rules are only applied if the authoritative
+  nameservers for the query name have been looked up and are present in
+  the cache. If this information is not present, the RPZ NSDNAME rules
+  are ignored, but the information is looked up in the background and
+  applied to subsequent queries. The default is ``yes``, meaning that
+  RPZ NSDNAME rules should always be applied, even if the information
+  needs to be looked up first. :gl:`#1138`
+
+- Support for HTTPS and SVCB record types now also includes ADDITIONAL
+  section processing for these record types. :gl:`#1132`
+
+- New configuration options, :any:`tcp-receive-buffer`,
+  :any:`tcp-send-buffer`, :any:`udp-receive-buffer`, and :any:`udp-send-buffer`,
+  have been added. These options allow the operator to fine-tune the
+  receiving and sending buffers in the operating system. On busy
+  servers, increasing the size of the receive buffers can prevent the
+  server from dropping packets during short traffic spikes, and
+  decreasing it can prevent the server from becoming clogged with
+  queries that are too old and have already timed out. :gl:`#2313`
+
+- New finer-grained :any:`update-policy` rule types,
+  ``krb5-subdomain-self-rhs`` and ``ms-subdomain-self-rhs``, were added.
+  These rule types restrict updates to SRV and PTR records so that their
+  content can only match the machine name embedded in the Kerberos
+  principal making the change. :gl:`#481`
+
+- Per-type record count limits can now be specified in :any:`update-policy`
+  statements, to limit the number of records of a particular type that
+  can be added to a domain name via dynamic update. :gl:`#1657`
+
+- Support for OpenSSL 3.0 APIs was added. :gl:`#2843` :gl:`#3057`
+
+- Extended DNS Error Code 18 - Prohibited (see :rfc:`8914` section
+  4.19) is now set if query access is denied to the specific client.
+  :gl:`#1836`
+
+- ``ipv4only.arpa`` is now served when DNS64 is configured. :gl:`#385`
+
+- ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
+  This is useful when the host on which ``dig`` is run is behind an
+  IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
+  Service). :gl:`#1154`
+
+- ``dig`` output now includes the transport protocol used (UDP, TCP,
+  TLS, HTTPS). :gl:`#1144` :gl:`#1816`
+
+- ``dig +qid=<num>`` allows the user to specify a particular query ID
+  for testing purposes. :gl:`#1851`
+
+.. _libnghttp2: https://nghttp2.org/
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Support for the ``map`` zone file format (``masterfile-format map;``)
+  has been removed. Users relying on the ``map`` format are advised to
+  convert their zones to the ``raw`` format with ``named-compilezone``
+  and change the configuration appropriately prior to upgrading BIND 9.
+  :gl:`#2882`
+
+- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
+  enabled in ``named`` at build time have been removed. New-style DLZ
+  modules should be used as a replacement. :gl:`#2814`
+
+- Support for compiling and running BIND 9 natively on Windows has been
+  completely removed. The last stable release branch that has working
+  Windows support is BIND 9.16. :gl:`#2690`
+
+- Native PKCS#11 support has been removed. :gl:`#2691`
+
+  When built against OpenSSL 1.x, BIND 9 now
+  :ref:`uses engine_pkcs11 for PKCS#11 <pkcs11>`. engine_pkcs11 is an
+  OpenSSL engine which is part of the `OpenSC`_ project.
+
+  As support for so-called "engines" was deprecated in OpenSSL 3.x,
+  compiling BIND 9 against an OpenSSL 3.x build which does not retain
+  support for deprecated APIs makes it impossible to use PKCS#11 in BIND
+  9. A replacement for engine_pkcs11 which employs the new "provider"
+  approach introduced in OpenSSL 3.x is in the making. :gl:`#2843`
+
+- The utilities ``dnssec-checkds``, ``dnssec-coverage``, and
+  ``dnssec-keymgr`` have been removed from the BIND distribution, as well
+  as the ``isc`` Python package. DNSSEC features formerly provided
+  by these utilities are now integrated into ``named``.
+  See the :any:`dnssec-policy` configuration option
+  for more details.
+
+  An archival version of the Python utilities has been moved to
+  the repository https://gitlab.isc.org/isc-projects/dnssec-keymgr/.
+  Please note these tools are no longer supported by ISC.
+
+- Since the old socket manager API has been removed, "socketmgr"
+  statistics are no longer reported by the
+  :any:`statistics-channels`. :gl:`#2926`
+
+- The :any:`glue-cache` *option* has been marked as deprecated. The glue
+  cache *feature* still works and will be permanently *enabled* in a
+  future release. :gl:`#2146`
+
+- A number of non-working configuration options that had been marked as
+  obsolete in previous releases have now been removed completely. Using
+  any of the following options is now considered a configuration
+  failure: ``acache-cleaning-interval``, ``acache-enable``,
+  ``additional-from-auth``, ``additional-from-cache``,
+  ``allow-v6-synthesis``, ``cleaning-interval``, ``dnssec-enable``,
+  ``dnssec-lookaside``, ``filter-aaaa``, ``filter-aaaa-on-v4``,
+  ``filter-aaaa-on-v6``, ``geoip-use-ecs``, ``lwres``,
+  ``max-acache-size``, ``nosit-udp-size``, ``queryport-pool-ports``,
+  ``queryport-pool-updateinterval``, ``request-sit``, ``sit-secret``,
+  ``support-ixfr``, ``use-queryport-pool``, ``use-ixfr``. :gl:`#1086`
+
+- The ``dig`` option ``+unexpected`` has been removed. :gl:`#2140`
+
+- IPv6 sockets are now explicitly restricted to sending and receiving
+  IPv6 packets only. As this breaks the ``+mapped`` option for ``dig``,
+  the option has been removed. :gl:`#3093`
+
+- Disable and disallow static linking of BIND 9 binaries and libraries
+  as BIND 9 modules require ``dlopen()`` support and static linking also
+  prevents using security features like read-only relocations (RELRO) or
+  address space layout randomization (ASLR) which are important for
+  programs that interact with the network and process arbitrary user
+  input. :gl:`#1933`
+
+- The ``--with-gperftools-profiler`` ``configure`` option was removed.
+  To use the gperftools profiler, the ``HAVE_GPERFTOOLS_PROFILER`` macro
+  now needs to be manually set in ``CFLAGS`` and ``-lprofiler`` needs to
+  be present in ``LDFLAGS``. :gl:`!4045`
+
+.. _OpenSC: https://github.com/OpenSC/libp11
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Aggressive Use of DNSSEC-Validated Cache (:any:`synth-from-dnssec`, see
+  :rfc:`8198`) is now enabled by default again, after having been
+  disabled in BIND 9.14.8. The implementation of this feature was
+  reworked to achieve better efficiency and tuned to ignore certain
+  types of broken NSEC records. Negative answer synthesis is currently
+  only supported for zones using NSEC. :gl:`#1265`
+
+- The default NSEC3 parameters for :any:`dnssec-policy` were updated to no
+  extra SHA-1 iterations and no salt (``NSEC3PARAM 1 0 0 -``). This
+  change is in line with the `latest NSEC3 recommendations`_.
+  :gl:`#2956`
+
+- The default for :any:`dnssec-dnskey-kskonly` was changed to ``yes``. This
+  means that DNSKEY, CDNSKEY, and CDS RRsets are now only signed with
+  the KSK by default. The additional signatures prepared using the ZSK
+  when the option is set to ``no`` add to the DNS response payload
+  without offering added value. :gl:`#1316`
+
+- ``dnssec-cds`` now only generates SHA-2 DS records by default and
+  avoids copying deprecated SHA-1 records from a child zone to its
+  delegation in the parent. If the child zone does not publish SHA-2 CDS
+  records, ``dnssec-cds`` will generate them from the CDNSKEY records.
+  The ``-a algorithm`` option now affects the process of generating DS
+  digest records from both CDS and CDNSKEY records. Thanks to Tony
+  Finch. :gl:`#2871`
+
+- Previously, ``named`` accepted FORMERR responses both with and without
+  an OPT record, as an indication that a given server did not support
+  EDNS. To implement full compliance with :rfc:`6891`, only FORMERR
+  responses without an OPT record are now accepted. This intentionally
+  breaks communication with servers that do not support EDNS and that
+  incorrectly echo back the query message with the RCODE field set to
+  FORMERR and the QR bit set to 1. :gl:`#2249`
+
+- The question section is now checked when processing AXFR, IXFR, and
+  SOA replies while transferring a zone in. :gl:`#1683`
+
+- DNS Flag Day 2020: the EDNS buffer size probing code, which made the
+  resolver adjust the EDNS buffer size used for outgoing queries based
+  on the successful query responses and timeouts observed, was removed.
+  The resolver now always uses the EDNS buffer size set in
+  :any:`edns-udp-size` for all outgoing queries. :gl:`#2183`
+
+- Keeping stale answers in cache (:any:`stale-cache-enable`) has been
+  disabled by default. :gl:`#1712`
+
+- Overall memory use by ``named`` has been optimized and significantly
+  reduced, especially for resolver workloads. :gl:`#2398` :gl:`#3048`
+
+- Memory allocation is now based on the memory allocation API provided
+  by the `jemalloc`_ library, on platforms where it is available. Use of
+  this library is now recommended when building BIND 9; although it is
+  optional, it is enabled by default. :gl:`#2433`
+
+- Internal data structures maintained for each cache database are now
+  grown incrementally when they need to be expanded. This helps maintain
+  a steady response rate on a loaded resolver while these internal data
+  structures are resized. :gl:`#2941`
+
+- The interface handling code has been refactored to use fewer
+  resources, which should lead to less memory fragmentation and better
+  startup performance. :gl:`#2433`
+
+- When reporting zone types in the statistics channel, the terms
+  :any:`primary <type primary>` and :any:`secondary <type secondary>` are now used instead of ``master`` and
+  ``slave``, respectively. :gl:`#1944`
+
+- The ``rndc nta -dump`` and ``rndc secroots`` commands now both include
+  :any:`validate-except` entries when listing negative trust anchors. These
+  are indicated by the keyword ``permanent`` in place of the expiry
+  date. :gl:`#1532`
+
+- The output of ``rndc serve-stale status`` has been clarified. It now
+  explicitly reports whether retention of stale data in the cache is
+  enabled (:any:`stale-cache-enable`), and whether returning such data in
+  responses is enabled (:any:`stale-answer-enable`). :gl:`#2742`
+
+- Previously, using ``dig +bufsize=0`` had the side effect of disabling
+  EDNS, and there was no way to test the remote server's behavior when
+  it had received a packet with EDNS0 buffer size set to 0. This is no
+  longer the case; ``dig +bufsize=0`` now sends a DNS message with EDNS
+  version 0 and buffer size set to 0. To disable EDNS, use ``dig
+  +noedns``. :gl:`#2054`
+
+- BIND 9 binaries which are neither daemons nor administrative programs
+  were moved to ``$bindir``. Only ``ddns-confgen``, ``named``, ``rndc``,
+  ``rndc-confgen``, and ``tsig-confgen`` were left in ``$sbindir``.
+  :gl:`#1724`
+
+- The BIND 9 build system has been changed to use a typical
+  autoconf+automake+libtool stack. This should not make any difference
+  for people building BIND 9 from release tarballs, but when building
+  BIND 9 from the Git repository, ``autoreconf -fi`` needs to be run
+  first. Extra attention is also needed when using non-standard
+  ``configure`` options. :gl:`#4`
+
+.. _latest NSEC3 recommendations: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-02
+
+.. _jemalloc: http://jemalloc.net/
+
+Bug Fixes
+~~~~~~~~~
+
+- Log files using ``timestamp``-style suffixes were not always correctly
+  removed when the number of files exceeded the limit set by
+  ``versions``. This has been fixed. :gl:`#828`
diff --git a/doc/notes/notes-9.18.1.rst b/doc/notes/notes-9.18.1.rst
new file mode 100644
index 0000000..f76369b
--- /dev/null
+++ b/doc/notes/notes-9.18.1.rst
@@ -0,0 +1,107 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.1
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The rules for acceptance of records into the cache have been tightened
+  to prevent the possibility of poisoning if forwarders send records
+  outside the configured bailiwick. (CVE-2021-25220)
+
+  ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
+  Network and Information Security Lab, Tsinghua University, and
+  Changgen Zou from Qi An Xin Group Corp. for bringing this
+  vulnerability to our attention. :gl:`#2950`
+
+- TCP connections with :any:`keep-response-order` enabled could leave the
+  TCP sockets in the ``CLOSE_WAIT`` state when the client did not
+  properly shut down the connection. (CVE-2022-0396) :gl:`#3112`
+
+- Lookups involving a DNAME could trigger an assertion failure when
+  :any:`synth-from-dnssec` was enabled (which is the default).
+  (CVE-2022-0635)
+
+  ISC would like to thank Vincent Levigneron from AFNIC for bringing
+  this vulnerability to our attention. :gl:`#3158`
+
+- When chasing DS records, a timed-out or artificially delayed fetch
+  could cause ``named`` to crash while resuming a DS lookup.
+  (CVE-2022-0667) :gl:`#3129`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DLZ API has been updated: EDNS Client-Subnet (ECS) options sent
+  by a client are now included in the client information sent to DLZ
+  modules when processing queries. :gl:`#3082`
+
+- DEBUG(1)-level messages were added when starting and ending the BIND 9
+  task-exclusive mode that stops normal DNS operation (e.g. for
+  reconfiguration, interface scans, and other events that require
+  exclusive access to a shared resource). :gl:`#3137`
+
+- The limit on the number of simultaneously processed pipelined DNS
+  queries received over TCP has been removed. Previously, it was capped
+  at 23 queries processed at the same time. :gl:`#3141`
+
+Bug Fixes
+~~~~~~~~~
+
+- A failed view configuration during a ``named`` reconfiguration
+  procedure could cause inconsistencies in BIND internal structures,
+  causing a crash or other unexpected errors. This has been fixed.
+  :gl:`#3060`
+
+- Previously, ``named`` logged a "quota reached" message when it hit its
+  hard quota on the number of connections. That message was accidentally
+  removed but has now been restored. :gl:`#3125`
+
+- The :any:`max-transfer-time-out` and :any:`max-transfer-idle-out` options
+  were not implemented when the BIND 9 networking stack was refactored
+  in 9.16. The missing functionality has been re-implemented and
+  outgoing zone transfers now time out properly when not progressing.
+  :gl:`#1897`
+
+- TCP connections could hang indefinitely if the other party did not
+  read sent data, causing the TCP write buffers to fill. This has been
+  fixed by adding a "write" timer. Connections that are hung while
+  writing now time out after the :any:`tcp-idle-timeout` period has
+  elapsed. :gl:`#3132`
+
+- Client TCP connections are now closed immediately when data received
+  cannot be parsed as a valid DNS request. :gl:`#3149`
+
+- The statistics counter representing the current number of clients
+  awaiting recursive resolution results (``RecursClients``) could be
+  miscalculated in certain resolution scenarios, potentially causing the
+  value of the counter to drop below zero. This has been fixed.
+  :gl:`#3147`
+
+- An error in the processing of the :any:`blackhole` ACL could cause some
+  DNS requests sent by :iscman:`named` to fail - for example, zone
+  transfer requests and SOA refresh queries - if the destination address
+  or prefix was specifically excluded from the ACL using ``!``, or if
+  the ACL was set to ``none``. This has now been fixed. :any:`blackhole`
+  worked correctly when it was left unset, or if only positive-match
+  elements were included. :gl:`#3157`
+
+- Build errors were introduced in some DLZ modules due to an incomplete
+  change in the previous release. This has been fixed. :gl:`#3111`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.10.rst b/doc/notes/notes-9.18.10.rst
new file mode 100644
index 0000000..2fb54f3
--- /dev/null
+++ b/doc/notes/notes-9.18.10.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.10
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- To reduce unnecessary memory consumption in the cache, NXDOMAIN
+  records are no longer retained past the normal negative cache TTL,
+  even if :any:`stale-cache-enable` is set to ``yes``. :gl:`#3386`
+
+- The :any:`auto-dnssec` option has been deprecated and will be removed
+  in a future BIND 9.19.x release. Please migrate to
+  :any:`dnssec-policy`. :gl:`#3667`
+
+- The :any:`coresize`, :any:`datasize`, :any:`files`, and
+  :any:`stacksize` options have been deprecated. The limits these
+  options set should be enforced externally, either by manual
+  configuration (e.g. using ``ulimit``) or via the process supervisor
+  (e.g. ``systemd``). :gl:`#3676`
+
+- Setting alternate local addresses for inbound zone transfers has been
+  deprecated. The relevant options (:any:`alt-transfer-source`,
+  :any:`alt-transfer-source-v6`, and :any:`use-alt-transfer-source`)
+  will be removed in a future BIND 9.19.x release. :gl:`#3694`
+
+- The number of HTTP headers allowed in requests sent to
+  :iscman:`named`'s statistics channel has been increased from 10 to
+  100, to accommodate some browsers that send more than 10 headers
+  by default. :gl:`#3670`
+
+Bug Fixes
+~~~~~~~~~
+
+- :iscman:`named` could crash due to an assertion failure when an HTTP
+  connection to the statistics channel was closed prematurely (due to a
+  connection error, shutdown, etc.). This has been fixed. :gl:`#3693`
+
+- When a catalog zone was removed from the configuration, in some cases
+  a dangling pointer could cause the :iscman:`named` process to crash.
+  This has been fixed. :gl:`#3683`
+
+- When a zone was deleted from a server, a key management object related
+  to that zone was inadvertently kept in memory and only released upon
+  shutdown. This could lead to constantly increasing memory use on
+  servers with a high rate of changes affecting the set of zones being
+  served. This has been fixed. :gl:`#3727`
+
+- TLS configuration for primary servers was not applied for zones that
+  were members of a catalog zone. This has been fixed. :gl:`#3638`
+
+- In certain cases, :iscman:`named` waited for the resolution of
+  outstanding recursive queries to finish before shutting down. This was
+  unintended and has been fixed. :gl:`#3183`
+
+- :iscman:`host` and :iscman:`nslookup` command-line options setting the
+  custom TCP/UDP port to use were ignored for ANY queries (which are
+  sent over TCP). This has been fixed. :gl:`#3721`
+
+- The ``zone <name>/<class>: final reference detached`` log message was
+  moved from the INFO log level to the DEBUG(1) log level to prevent the
+  :iscman:`named-checkzone` tool from superfluously logging this message
+  in non-debug mode. :gl:`#3707`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.11.rst b/doc/notes/notes-9.18.11.rst
new file mode 100644
index 0000000..3e44dc2
--- /dev/null
+++ b/doc/notes/notes-9.18.11.rst
@@ -0,0 +1,112 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.11
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+  available memory. This flaw was addressed by adding a new
+  :any:`update-quota` option that controls the maximum number of
+  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+  queue at any given time (default: 100). (CVE-2022-3094)
+
+  ISC would like to thank Rob Schulhof from Infoblox for bringing this
+  vulnerability to our attention. :gl:`#3523`
+
+- :iscman:`named` could crash with an assertion failure when an RRSIG
+  query was received and :any:`stale-answer-client-timeout` was set to a
+  non-zero value. This has been fixed. (CVE-2022-3736)
+
+  ISC would like to thank Borja Marcos from Sarenet (with assistance by
+  Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
+  our attention. :gl:`#3622`
+
+- :iscman:`named` running as a resolver with the
+  :any:`stale-answer-client-timeout` option set to any value greater
+  than ``0`` could crash with an assertion failure, when the
+  :any:`recursive-clients` soft quota was reached. This has been fixed.
+  (CVE-2022-3924)
+
+  ISC would like to thank Maksym Odinintsev from AWS for bringing this
+  vulnerability to our attention. :gl:`#3619`
+
+New Features
+~~~~~~~~~~~~
+
+- The new :any:`update-quota` option can be used to control the number
+  of simultaneous DNS UPDATE messages that can be processed to update an
+  authoritative zone on a primary server, or forwarded to the primary
+  server by a secondary server. The default is 100. A new statistics
+  counter has also been added to record events when this quota is
+  exceeded, and the version numbers for the XML and JSON statistics
+  schemas have been updated. :gl:`#3523`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The Differentiated Services Code Point (DSCP) feature in BIND has been
+  non-operational since the new Network Manager was introduced in BIND
+  9.16. It is now marked as obsolete, and vestigial code implementing it
+  has been removed. Configuring DSCP values in ``named.conf`` now causes
+  a warning to be logged. :gl:`#3773`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The catalog zone implementation has been optimized to work with
+  hundreds of thousands of member zones. :gl:`#3212` :gl:`#3744`
+
+Bug Fixes
+~~~~~~~~~
+
+- A rare assertion failure was fixed in outgoing TCP DNS connection
+  handling. :gl:`#3178` :gl:`#3636`
+
+- Large zone transfers over TLS (XoT) could fail. This has been fixed.
+  :gl:`#3772`
+
+- In addition to a previously fixed bug, another similar issue was
+  discovered where quotas could be erroneously reached for servers,
+  including any configured forwarders, resulting in SERVFAIL answers
+  being sent to clients. This has been fixed. :gl:`#3752`
+
+- In certain query resolution scenarios (e.g. when following CNAME
+  records), :iscman:`named` configured to answer from stale cache could
+  return a SERVFAIL response despite a usable, non-stale answer being
+  present in the cache. This has been fixed. :gl:`#3678`
+
+- When an outgoing request timed out, :iscman:`named` would retry up to
+  three times with the same server instead of trying the next available
+  name server. This has been fixed. :gl:`#3637`
+
+- Recently used ADB names and ADB entries (IP addresses) could get
+  cleaned when ADB was under memory pressure. To mitigate this, only
+  actual ADB names and ADB entries are now counted (excluding internal
+  memory structures used for "housekeeping") and recently used (<= 10
+  seconds) ADB names and entries are excluded from the overmem memory
+  cleaner. :gl:`#3739`
+
+- The "Prohibited" Extended DNS Error was inadvertently set in some
+  NOERROR responses. This has been fixed. :gl:`#3743`
+
+- Previously, TLS session resumption could have led to handshake
+  failures when client certificates were used for authentication (Mutual
+  TLS). This has been fixed. :gl:`#3725`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.12.rst b/doc/notes/notes-9.18.12.rst
new file mode 100644
index 0000000..be2046a
--- /dev/null
+++ b/doc/notes/notes-9.18.12.rst
@@ -0,0 +1,54 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.12
+----------------------
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Specifying a ``port`` when configuring source addresses (i.e., as an
+  argument to :any:`query-source`, :any:`query-source-v6`,
+  :any:`transfer-source`, :any:`transfer-source-v6`,
+  :any:`notify-source`, :any:`notify-source-v6`, :any:`parental-source`,
+  or :any:`parental-source-v6`, or in the ``source`` or ``source-v6``
+  arguments to :any:`primaries`, :any:`parental-agents`,
+  :any:`also-notify`, or :any:`catalog-zones`) has been deprecated. In
+  addition, the :any:`use-v4-udp-ports`, :any:`use-v6-udp-ports`,
+  :any:`avoid-v4-udp-ports`, and :any:`avoid-v6-udp-ports` options have
+  also been deprecated.
+
+  Warnings are now logged when any of these options are encountered in
+  ``named.conf``. In a future release, they will be made nonfunctional.
+  :gl:`#3781`
+
+Bug Fixes
+~~~~~~~~~
+
+- A constant stream of zone additions and deletions via ``rndc
+  reconfig`` could cause increased memory consumption due to delayed
+  cleaning of view memory. This has been fixed. :gl:`#3801`
+
+- The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
+  NSEC3 hashing, has been improved. :gl:`#3795`
+
+- Pointing :any:`parental-agents` to a resolver did not work because the
+  RD bit was not set on DS requests. This has been fixed. :gl:`#3783`
+
+- Building BIND 9 failed when the ``--enable-dnsrps`` switch for
+  ``./configure`` was used. This has been fixed. :gl:`#3827`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.13.rst b/doc/notes/notes-9.18.13.rst
new file mode 100644
index 0000000..90b374a
--- /dev/null
+++ b/doc/notes/notes-9.18.13.rst
@@ -0,0 +1,75 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.13
+----------------------
+
+New Features
+~~~~~~~~~~~~
+
+- RPZ updates are now run on specialized "offload" threads to reduce the
+  amount of time they block query processing on the main networking
+  threads. This increases the responsiveness of :iscman:`named` when RPZ
+  updates are being applied after an RPZ zone has been successfully
+  transferred. :gl:`#3190`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Catalog zone updates are now run on specialized "offload" threads to
+  reduce the amount of time they block query processing on the main
+  networking threads. This increases the responsiveness of
+  :iscman:`named` when catalog zone updates are being applied after a
+  catalog zone has been successfully transferred. :gl:`#3881`
+
+- libuv support for receiving multiple UDP messages in a single
+  ``recvmmsg()`` system call has been tweaked several times between
+  libuv versions 1.35.0 and 1.40.0; the current recommended libuv
+  version is 1.40.0 or higher. New rules are now in effect for running
+  with a different version of libuv than the one used at compilation
+  time. These rules may trigger a fatal error at startup:
+
+  - Building against or running with libuv versions 1.35.0 and 1.36.0 is
+    now a fatal error.
+
+  - Running with libuv version higher than 1.34.2 is now a fatal error
+    when :iscman:`named` is built against libuv version 1.34.2 or lower.
+
+  - Running with libuv version higher than 1.39.0 is now a fatal error
+    when :iscman:`named` is built against libuv version 1.37.0, 1.38.0,
+    1.38.1, or 1.39.0.
+
+  This prevents the use of libuv versions that may trigger an assertion
+  failure when receiving multiple UDP messages in a single system call.
+  :gl:`#3840`
+
+Bug Fixes
+~~~~~~~~~
+
+- :iscman:`named` could crash with an assertion failure when adding a
+  new zone into the configuration file for a name which was already
+  configured as a member zone for a catalog zone. This has been fixed.
+  :gl:`#3911`
+
+- When :iscman:`named` starts up, it sends a query for the DNSSEC key
+  for each configured trust anchor to determine whether the key has
+  changed. In some unusual cases, the query might depend on a zone for
+  which the server is itself authoritative, and would have failed if it
+  were sent before the zone was fully loaded. This has now been fixed by
+  delaying the key queries until all zones have finished loading.
+  :gl:`#3673`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.14.rst b/doc/notes/notes-9.18.14.rst
new file mode 100644
index 0000000..38e0256
--- /dev/null
+++ b/doc/notes/notes-9.18.14.rst
@@ -0,0 +1,46 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.14
+----------------------
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- Zone type ``delegation-only``, and the ``delegation-only`` and
+  ``root-delegation-only`` statements, have been deprecated.
+  A warning is now logged when they are used.
+
+  These statements were created to address the SiteFinder controversy,
+  in which certain top-level domains redirected misspelled queries to
+  other sites instead of returning NXDOMAIN responses. Since top-level
+  domains are now DNSSEC-signed, and DNSSEC validation is active by
+  default, the statements are no longer needed. :gl:`#3953`
+
+Bug Fixes
+~~~~~~~~~
+
+- Several bugs which could cause :iscman:`named` to crash during catalog
+  zone processing have been fixed. :gl:`#3955` :gl:`#3968` :gl:`#3997`
+
+- Previously, downloading large zones over TLS (XoT) from a primary
+  could hang the transfer on the secondary, especially when the
+  connection was unstable. This has been fixed. :gl:`#3867`
+
+- Performance of DNSSEC validation in zones with many DNSKEY records has
+  been improved. :gl:`#3981`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.15.rst b/doc/notes/notes-9.18.15.rst
new file mode 100644
index 0000000..7642ab2
--- /dev/null
+++ b/doc/notes/notes-9.18.15.rst
@@ -0,0 +1,57 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.15
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- The :any:`max-transfer-time-in` and :any:`max-transfer-idle-in`
+  statements have not had any effect since the BIND 9 networking stack
+  was refactored in version 9.16. The missing functionality has been
+  re-implemented and incoming zone transfers now time out properly when
+  not progressing. :gl:`#4004`
+
+- The read timeout in :iscman:`rndc` is now 60 seconds, matching the
+  behavior in BIND 9.16 and earlier. It had previously been lowered to
+  30 seconds by mistake. :gl:`#4046`
+
+- When the ``ISC_R_INVALIDPROTO`` (``ENOPROTOOPT``, ``EPROTONOSUPPORT``)
+  error code is returned by libuv, it is now treated as a network
+  failure: the server for which that error code is returned gets marked
+  as broken and is not contacted again during a given resolution
+  process. :gl:`#4005`
+
+- When removing delegations from an opt-out range, empty-non-terminal
+  NSEC3 records generated by those delegations were not cleaned up. This
+  has been fixed. :gl:`#4027`
+
+- Log file rotation code did not clean up older versions of log files
+  when the logging :any:`channel` had an absolute path configured as a
+  ``file`` destination. This has been fixed. :gl:`#3991`
+
+Known Issues
+~~~~~~~~~~~~
+
+- Sending NOTIFY messages silently fails when the source port specified
+  in the :any:`notify-source` statement is already in use. This can
+  happen e.g. when multiple servers are configured as NOTIFY targets for
+  a zone and some of them are unresponsive. This issue can be worked
+  around by not specifying the source port for NOTIFY messages in the
+  :any:`notify-source` statement; note that source port configuration is
+  already `deprecated`_ and will be removed altogether in a future
+  release. :gl:`#4002`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
+.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781
diff --git a/doc/notes/notes-9.18.16.rst b/doc/notes/notes-9.18.16.rst
new file mode 100644
index 0000000..9ed090c
--- /dev/null
+++ b/doc/notes/notes-9.18.16.rst
@@ -0,0 +1,72 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.16
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- The overmem cleaning process has been improved, to prevent the cache from
+  significantly exceeding the configured :any:`max-cache-size` limit.
+  (CVE-2023-2828)
+
+  ISC would like to thank Shoham Danino from Reichman University, Anat
+  Bremler-Barr from Tel-Aviv University, Yehuda Afek from Tel-Aviv University,
+  and Yuval Shavitt from Tel-Aviv University for bringing this vulnerability to
+  our attention.  :gl:`#4055`
+
+- A query that prioritizes stale data over lookup triggers a fetch to refresh
+  the stale data in cache. If the fetch is aborted for exceeding the recursion
+  quota, it was possible for :iscman:`named` to enter an infinite callback
+  loop and crash due to stack overflow. This has been fixed. (CVE-2023-2911)
+  :gl:`#4089`
+
+New Features
+~~~~~~~~~~~~
+
+- The system test suite can now be executed with pytest (along with
+  pytest-xdist for parallel execution). :gl:`#3978`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- TKEY mode 2 (Diffie-Hellman Exchanged Keying) is now deprecated, and
+  will be removed in a future release. A warning will be logged when
+  the :any:`tkey-dhkey` option is used in ``named.conf``. :gl:`#3905`
+
+Bug Fixes
+~~~~~~~~~
+
+- BIND could get stuck on reconfiguration when a :any:`listen-on`
+  statement for HTTP is removed from the configuration. That has been
+  fixed. :gl:`#4071`
+
+- Previously, it was possible for a delegation from cache to be returned
+  to the client after the :any:`stale-answer-client-timeout` duration.
+  This has been fixed. :gl:`#3950`
+
+- BIND could allocate too big buffers when sending data via
+  stream-based DNS transports, leading to increased memory usage.
+  This has been fixed. :gl:`#4038`
+
+- When the :any:`stale-answer-enable` option was enabled and the
+  :any:`stale-answer-client-timeout` option was enabled and larger than
+  0, :iscman:`named` previously allocated two slots from the
+  :any:`clients-per-query` limit for each client and failed to gradually
+  auto-tune its value, as configured. This has been fixed. :gl:`#4074`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.17.rst b/doc/notes/notes-9.18.17.rst
new file mode 100644
index 0000000..87dbca3
--- /dev/null
+++ b/doc/notes/notes-9.18.17.rst
@@ -0,0 +1,42 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.17
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- If a response from an authoritative server has its RCODE set to
+  FORMERR and contains an echoed EDNS COOKIE option that was present in
+  the query, :iscman:`named` now retries sending the query to the
+  same server without an EDNS COOKIE option. :gl:`#4049`
+
+- The ``relaxed`` QNAME minimization mode now uses NS records. This
+  reduces the number of queries :iscman:`named` makes when resolving, as
+  it allows the non-existence of NS RRsets at non-referral nodes to be
+  cached in addition to the normally cached referrals. :gl:`#3325`
+
+Bug Fixes
+~~~~~~~~~
+
+- The ability to read HMAC-MD5 key files, which was accidentally lost in
+  BIND 9.18.8, has been restored. :gl:`#3668` :gl:`#4154`
+
+- Several minor stability issues with the catalog zone implementation
+  have been fixed. :gl:`#4132` :gl:`#4136` :gl:`#4171`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.18.rst b/doc/notes/notes-9.18.18.rst
new file mode 100644
index 0000000..1071967
--- /dev/null
+++ b/doc/notes/notes-9.18.18.rst
@@ -0,0 +1,47 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.18
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- When a primary server for a zone responds to an SOA query, but the
+  subsequent TCP connection required to transfer the zone is refused,
+  that server is marked as temporarily unreachable. This now also
+  happens if the TCP connection attempt times out, preventing too many
+  zones from queuing up on an unreachable server and allowing the
+  refresh process to move on to the next configured primary more
+  quickly. :gl:`#4215`
+
+- The :any:`dialup` and :any:`heartbeat-interval` options have been
+  deprecated and will be removed in a future BIND 9 release. :gl:`#3700`
+
+Bug Fixes
+~~~~~~~~~
+
+- Processing already-queued queries received over TCP could cause an
+  assertion failure, when the server was reconfigured at the same time
+  or the cache was being flushed. This has been fixed. :gl:`#4200`
+
+- Setting :any:`dnssec-policy` to ``insecure`` prevented zones
+  containing resource records with a TTL value larger than 86400 seconds
+  (1 day) from being loaded. This has been fixed by ignoring the TTL
+  values in the zone and using a value of 604800 seconds (1 week) as the
+  maximum zone TTL in key rollover timing calculations. :gl:`#4032`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.19.rst b/doc/notes/notes-9.18.19.rst
new file mode 100644
index 0000000..3d3c513
--- /dev/null
+++ b/doc/notes/notes-9.18.19.rst
@@ -0,0 +1,96 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.19
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, sending a specially crafted message over the control
+  channel could cause the packet-parsing code to run out of available
+  stack memory, causing :iscman:`named` to terminate unexpectedly.
+  This has been fixed. (CVE-2023-3341)
+
+  ISC would like to thank Eric Sesterhenn from X41 D-Sec GmbH for
+  bringing this vulnerability to our attention. :gl:`#4152`
+
+- A flaw in the networking code handling DNS-over-TLS queries could
+  cause :iscman:`named` to terminate unexpectedly due to an assertion
+  failure under significant DNS-over-TLS query load. This has been
+  fixed. (CVE-2023-4236)
+
+  ISC would like to thank Robert Story from USC/ISI Root Server
+  Operations for bringing this vulnerability to our attention.
+  :gl:`#4242`
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+- The :any:`dnssec-must-be-secure` option has been deprecated and will
+  be removed in a future release. :gl:`#4263`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- If the ``server`` command is specified, :iscman:`nsupdate` now honors
+  the :option:`nsupdate -v` option for SOA queries by sending both the
+  UPDATE request and the initial query over TCP. :gl:`#1181`
+
+Bug Fixes
+~~~~~~~~~
+
+- The value of the If-Modified-Since header in the statistics channel
+  was not being correctly validated for its length, potentially allowing
+  an authorized user to trigger a buffer overflow. Ensuring the
+  statistics channel is configured correctly to grant access exclusively
+  to authorized users is essential (see the :any:`statistics-channels`
+  block definition and usage section). :gl:`#4124`
+
+  This issue was reported independently by Eric Sesterhenn of X41 D-Sec
+  GmbH and Cameron Whitehead.
+
+- The Content-Length header in the statistics channel was lacking proper
+  bounds checking. A negative or excessively large value could
+  potentially trigger an integer overflow and result in an assertion
+  failure. :gl:`#4125`
+
+  This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
+
+- Several memory leaks caused by not clearing the OpenSSL error stack
+  were fixed. :gl:`#4159`
+
+  This issue was reported by Eric Sesterhenn of X41 D-Sec GmbH.
+
+- The introduction of ``krb5-subdomain-self-rhs`` and
+  ``ms-subdomain-self-rhs`` UPDATE policies accidentally caused
+  :iscman:`named` to return SERVFAIL responses to deletion requests for
+  non-existent PTR and SRV records. This has been fixed. :gl:`#4280`
+
+- The :any:`stale-refresh-time` feature was mistakenly disabled when the
+  server cache was flushed by :option:`rndc flush`. This has been fixed.
+  :gl:`#4278`
+
+- BIND's memory consumption has been improved by implementing dedicated
+  jemalloc memory arenas for sending buffers. This optimization ensures
+  that memory usage is more efficient and better manages the return of
+  memory pages to the operating system. :gl:`#4038`
+
+- Previously, partial writes in the TLS DNS code were not accounted for
+  correctly, which could have led to DNS message corruption. This has
+  been fixed. :gl:`#4255`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.2.rst b/doc/notes/notes-9.18.2.rst
new file mode 100644
index 0000000..0111083
--- /dev/null
+++ b/doc/notes/notes-9.18.2.rst
@@ -0,0 +1,53 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.2
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Add a new configuration option :any:`reuseport` to disable load balancing
+  on sockets in situations where processing of Response Policy Zones
+  (RPZ), Catalog Zones, or large zone transfers can cause service
+  disruptions. See the BIND 9 ARM for more detail. :gl:`#3249`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, zone maintenance DNS queries retried forever if the
+  destination server was unreachable. These queries included outgoing
+  NOTIFY messages, refresh SOA queries, parental DS checks, and stub
+  zone NS queries. For example, if a zone had any nameservers with IPv6
+  addresses and a secondary server without IPv6 connectivity, that
+  server would keep trying to send a growing amount of NOTIFY traffic
+  over IPv6. This futile traffic was not logged. This excessive retry
+  behavior has been fixed. :gl:`#3242`
+
+- A number of crashes and hangs which could be triggered in
+  :iscman:`dig` were identified and addressed. :gl:`#3020` :gl:`#3128`
+  :gl:`#3145` :gl:`#3184` :gl:`#3205` :gl:`#3244` :gl:`#3248`
+
+- Invalid :any:`dnssec-policy` definitions, where the defined keys did not
+  cover both KSK and ZSK roles for a given algorithm, were being
+  accepted. These are now checked, and the :any:`dnssec-policy` is rejected
+  if both roles are not present for all algorithms in use. :gl:`#3142`
+
+- Handling of TCP write timeouts has been improved to track the timeout
+  for each TCP write separately, leading to a faster connection teardown
+  in case the other party is not reading the data. :gl:`#3200`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.3.rst b/doc/notes/notes-9.18.3.rst
new file mode 100644
index 0000000..09952c9
--- /dev/null
+++ b/doc/notes/notes-9.18.3.rst
@@ -0,0 +1,73 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.3
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, TLS socket objects could be destroyed prematurely, which
+  triggered assertion failures in :iscman:`named` instances serving
+  DNS-over-HTTPS (DoH) clients. This has been fixed.
+
+  ISC would like to thank Thomas Amgarten from arcade solutions ag for
+  bringing this vulnerability to our attention. (CVE-2022-1183)
+  :gl:`#3216`
+
+Known Issues
+~~~~~~~~~~~~
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+  be inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the ability to ignore the ``Subject`` field. This
+  should have minimal production-use consequences, as most of the
+  production-ready certificates issued by certificate authorities will
+  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+  ignored. Only old platforms are affected by this, e.g. those supplied
+  with OpenSSL versions older than 1.1.1. :gl:`#3163`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- Catalog Zones schema version 2, as described in the
+  "DNS Catalog Zones" IETF draft version 5 document, is now supported by
+  :iscman:`named`. All of the previously supported BIND-specific catalog
+  zone custom properties (:any:`primaries`, :any:`allow-query`, and
+  :any:`allow-transfer`), as well as the new Change of Ownership (``coo``)
+  property, are now implemented. Schema version 1 is still supported,
+  with some additional validation rules applied from schema version 2:
+  for example, the :any:`version` property is mandatory, and a member zone
+  PTR RRset must not contain more than one record. In the event of a
+  validation error, a corresponding error message is logged to help with
+  diagnosing the problem. :gl:`#3221` :gl:`#3222` :gl:`#3223`
+  :gl:`#3224` :gl:`#3225`
+
+- Support DNS Extended Errors (:rfc:`8914`) ``Stale Answer`` and
+  ``Stale NXDOMAIN Answer`` when stale answers are returned from cache.
+  :gl:`#2267`
+
+- Add support for remote TLS certificate verification, both to
+  :iscman:`named` and :iscman:`dig`, making it possible to implement
+  Strict and Mutual TLS authentication, as described in :rfc:`9103`,
+  Section 9.3. :gl:`#3163`
+
+Bug Fixes
+~~~~~~~~~
+
+- Previously, CDS and CDNSKEY DELETE records were removed from the zone
+  when configured with the ``auto-dnssec maintain;`` option. This has
+  been fixed. :gl:`#2931`
diff --git a/doc/notes/notes-9.18.4.rst b/doc/notes/notes-9.18.4.rst
new file mode 100644
index 0000000..1579bc4
--- /dev/null
+++ b/doc/notes/notes-9.18.4.rst
@@ -0,0 +1,44 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.4
+---------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- New :any:`dnssec-policy` configuration checks have been added to detect
+  unusual policies, such as missing KSK and/or ZSK and too-short key
+  lifetimes and re-sign periods. :gl:`#1611`
+
+Bug Fixes
+~~~~~~~~~
+
+- The :any:`fetches-per-server` quota is designed to adjust itself downward
+  automatically when an authoritative server times out too frequently.
+  Due to a coding error, that adjustment was applied incorrectly, so
+  that the quota for a congested server was always set to 1. This has
+  been fixed. :gl:`#3327`
+
+- DNSSEC-signed catalog zones were not being processed correctly. This
+  has been fixed. :gl:`#3380`
+
+- Key files were updated every time the :any:`dnssec-policy` key manager
+  ran, whether the metadata had changed or not. :iscman:`named` now
+  checks whether changes were applied before writing out the key files.
+  :gl:`#3302`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.5.rst b/doc/notes/notes-9.18.5.rst
new file mode 100644
index 0000000..546b1b3
--- /dev/null
+++ b/doc/notes/notes-9.18.5.rst
@@ -0,0 +1,59 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.5
+---------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The :option:`dnssec-signzone -H` default value has been changed to 0
+  additional NSEC3 iterations. This change aligns the
+  :iscman:`dnssec-signzone` default with the default used by the
+  :any:`dnssec-policy` feature. At the same
+  time, documentation about NSEC3 has been aligned with the `Best
+  Current Practice`_. :gl:`#3395`
+
+.. _Best Current Practice: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-10
+
+Bug Fixes
+~~~~~~~~~
+
+- An assertion failure caused by a TCP connection closing between a
+  connect (or accept) and a read from a socket has been fixed.
+  :gl:`#3400`
+
+- When grafting non-delegated namespace onto delegated namespace,
+  :any:`synth-from-dnssec` could incorrectly synthesize non-existence of
+  records within the non-delegated namespace using NSEC records from
+  higher zones. :gl:`#3402`
+
+- Previously, :iscman:`named` immediately returned a SERVFAIL response
+  to the client when it received a FORMERR response from an
+  authoritative server during recursive resolution. This has been fixed:
+  :iscman:`named` acting as a resolver now attempts to contact other
+  authoritative servers for a given domain when it receives a FORMERR
+  response from one of them. :gl:`#3152`
+
+- Previously, :option:`rndc reconfig` did not pick up changes to
+  :any:`endpoints` statements in :any:`http` blocks. This has been
+  fixed. :gl:`#3415`
+
+- It was possible for a catalog zone consumer to process a catalog zone
+  member zone when there was a configured pre-existing forward-only
+  forward zone with the same name. This has been fixed. :gl:`#2506`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.6.rst b/doc/notes/notes-9.18.6.rst
new file mode 100644
index 0000000..3ed788f
--- /dev/null
+++ b/doc/notes/notes-9.18.6.rst
@@ -0,0 +1,62 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.6
+---------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically
+  disabled on systems where they are disallowed by the security policy
+  (e.g. Red Hat Enterprise Linux 9). Primary zones using those
+  algorithms need to be migrated to new algorithms prior to running on
+  these systems, as graceful migration to different DNSSEC algorithms is
+  not possible when RSASHA1 is disallowed by the operating system.
+  :gl:`#3469`
+
+- Log messages related to fetch limiting have been improved to provide
+  more complete information. Specifically, the final counts of allowed
+  and spilled fetches are now logged before the counter object is
+  destroyed. :gl:`#3461`
+
+Bug Fixes
+~~~~~~~~~
+
+- When running as a validating resolver forwarding all queries to
+  another resolver, :iscman:`named` could crash with an assertion
+  failure. These crashes occurred when the configured forwarder sent a
+  broken DS response and :iscman:`named` failed its attempts to find a
+  proper one instead. This has been fixed. :gl:`#3439`
+
+- Non-dynamic zones that inherit :any:`dnssec-policy` from the
+  :namedconf:ref:`view` or :namedconf:ref:`options` blocks were not
+  marked as inline-signed and therefore never scheduled to be re-signed.
+  This has been fixed. :gl:`#3438`
+
+- The old :any:`max-zone-ttl` zone option was meant to be superseded by
+  the :any:`max-zone-ttl` option in :any:`dnssec-policy`; however, the
+  latter option was not fully effective. This has been corrected: zones
+  no longer load if they contain TTLs greater than the limit configured
+  in :any:`dnssec-policy`. For zones with both the old
+  :any:`max-zone-ttl` option and :any:`dnssec-policy` configured, the
+  old option is ignored, and a warning is generated. :gl:`#2918`
+
+- :option:`rndc dumpdb -expired <rndc dumpdb>` was fixed to include
+  expired RRsets, even if :any:`stale-cache-enable` is set to ``no`` and
+  the cache-cleaning time window has passed. :gl:`#3462`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.7.rst b/doc/notes/notes-9.18.7.rst
new file mode 100644
index 0000000..dade98e
--- /dev/null
+++ b/doc/notes/notes-9.18.7.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.7
+---------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Previously, there was no limit to the number of database lookups
+  performed while processing large delegations, which could be abused to
+  severely impact the performance of :iscman:`named` running as a
+  recursive resolver. This has been fixed. (CVE-2022-2795)
+
+  ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
+  Bremler-Barr & Shani Stajnrod from Reichman University for bringing
+  this vulnerability to our attention. :gl:`#3394`
+
+- When an HTTP connection was reused to request statistics from the
+  stats channel, the content length of successive responses could grow
+  in size past the end of the allocated buffer. This has been fixed.
+  (CVE-2022-2881) :gl:`#3493`
+
+- Memory leaks in code handling Diffie-Hellman (DH) keys were fixed that
+  could be externally triggered, when using TKEY records in DH mode with
+  OpenSSL 3.0.0 and later versions. (CVE-2022-2906) :gl:`#3491`
+
+- :iscman:`named` running as a resolver with the
+  :any:`stale-answer-client-timeout` option set to ``0`` could crash
+  with an assertion failure, when there was a stale CNAME in the cache
+  for the incoming query. This has been fixed. (CVE-2022-3080)
+  :gl:`#3517`
+
+- Memory leaks were fixed that could be externally triggered in the
+  DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178)
+  :gl:`#3487`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Response Rate Limiting (RRL) code now treats all QNAMEs that are
+  subject to wildcard processing within a given zone as the same name,
+  to prevent circumventing the limits enforced by RRL. :gl:`#3459`
+
+- Zones using :any:`dnssec-policy` now require dynamic DNS or
+  :any:`inline-signing` to be configured explicitly. :gl:`#3381`
+
+- When reconfiguring :any:`dnssec-policy` from using NSEC with an
+  NSEC-only DNSKEY algorithm (e.g. RSASHA1) to a policy that uses NSEC3,
+  BIND 9 no longer fails to sign the zone; instead, it keeps using NSEC
+  until the offending DNSKEY records have been removed from the zone,
+  then switches to using NSEC3. :gl:`#3486`
+
+- A backward-compatible approach was implemented for encoding
+  internationalized domain names (IDN) in :iscman:`dig` and converting
+  the domain to IDNA2008 form; if that fails, BIND tries an IDNA2003
+  conversion. :gl:`#3485`
+
+Bug Fixes
+~~~~~~~~~
+
+- A serve-stale bug was fixed, where BIND would try to return stale data
+  from cache for lookups that received duplicate queries or queries that
+  would be dropped. This bug resulted in premature SERVFAIL responses,
+  and has now been resolved. :gl:`#2982`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-9.18.8.rst b/doc/notes/notes-9.18.8.rst
new file mode 100644
index 0000000..457f470
--- /dev/null
+++ b/doc/notes/notes-9.18.8.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.8
+---------------------
+
+Known Issues
+~~~~~~~~~~~~
+
+- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
+  a manual configuration change. The following configurations are
+  affected:
+
+  - :any:`type primary` zones configured with :any:`dnssec-policy` but
+    without either :any:`allow-update` or :any:`update-policy`,
+  - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+  In these cases please add :namedconf:ref:`inline-signing yes;
+  <inline-signing>` to the individual zone configuration(s). Without
+  applying this change, :iscman:`named` will fail to start. For more
+  details, see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND 9.18 does not support dynamic update forwarding (see
+  :any:`allow-update-forwarding`) in conjuction with zone transfers over
+  TLS (XoT). :gl:`#3512`
+
+- See :ref:`above <relnotes_known_issues>` for a list of all known
+  issues affecting this BIND 9 branch.
+
+New Features
+~~~~~~~~~~~~
+
+- Support for parsing and validating the ``dohpath`` service parameter
+  in SVCB records was added. :gl:`#3544`
+
+- :iscman:`named` now logs the supported cryptographic algorithms during
+  startup and in the output of :option:`named -V`. :gl:`#3541`
+
+- The ``recursion not available`` and ``query (cache) '...' denied`` log
+  messages were extended to include the name of the ACL that caused a
+  given query to be denied. :gl:`#3587`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ability to use PKCS#11 via engine_pkcs11 has been restored, by
+  using only deprecated APIs in OpenSSL 3.0.0. BIND 9 needs to be
+  compiled with ``-DOPENSSL_API_COMPAT=10100`` specified in the CFLAGS
+  environment variable at compile time. :gl:`#3578`
+
+Bug Fixes
+~~~~~~~~~
+
+- An assertion failure was fixed in :iscman:`named` that was caused by
+  aborting the statistics channel connection while sending statistics
+  data to the client. :gl:`#3542`
+
+- Changing just the TSIG key names for primaries in catalog zones'
+  member zones was not effective. This has been fixed. :gl:`#3557`
diff --git a/doc/notes/notes-9.18.9.rst b/doc/notes/notes-9.18.9.rst
new file mode 100644
index 0000000..828f459
--- /dev/null
+++ b/doc/notes/notes-9.18.9.rst
@@ -0,0 +1,61 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.9
+---------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A crash was fixed that happened when a :any:`dnssec-policy` zone that
+  used NSEC3 was reconfigured to enable :any:`inline-signing`.
+  :gl:`#3591`
+
+- In certain resolution scenarios, quotas could be erroneously reached
+  for servers, including any configured forwarders, resulting in
+  SERVFAIL answers being sent to clients. This has been fixed.
+  :gl:`#3598`
+
+- ``rpz-ip`` rules in :any:`response-policy` zones could be ineffective
+  in some cases if a query had the CD (Checking Disabled) bit set to 1.
+  This has been fixed. :gl:`#3247`
+
+- Previously, if Internet connectivity issues were experienced during
+  the initial startup of :iscman:`named`, a BIND resolver with
+  :any:`dnssec-validation` set to ``auto`` could enter into a state
+  where it would not recover without stopping :iscman:`named`, manually
+  deleting the ``managed-keys.bind`` and ``managed-keys.bind.jnl``
+  files, and starting :iscman:`named` again. This has been fixed.
+  :gl:`#2895`
+
+- The statistics counter representing the current number of clients
+  awaiting recursive resolution results (``RecursClients``) could
+  overflow in certain resolution scenarios. This has been fixed.
+  :gl:`#3584`
+
+- Previously, the port in remote servers such as in :any:`primaries` and
+  :any:`parental-agents` could be wrongly configured because of an
+  inheritance bug. This has been fixed. :gl:`#3627`
+
+- Previously, BIND failed to start on Solaris-based systems with
+  hundreds of CPUs. This has been fixed. :gl:`#3563`
+
+- When a DNS resource record's TTL value was equal to the resolver's
+  configured :any:`prefetch` "eligibility" value, the record was
+  erroneously not treated as eligible for prefetching. This has been
+  fixed. :gl:`#3603`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/doc/notes/notes-known-issues.rst b/doc/notes/notes-known-issues.rst
new file mode 100644
index 0000000..ee0d0f0
--- /dev/null
+++ b/doc/notes/notes-known-issues.rst
@@ -0,0 +1,62 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _relnotes_known_issues:
+
+Known Issues
+------------
+
+- Upgrading from BIND 9.16.32, 9.18.6, or any older version may require
+  a manual configuration change. The following configurations are
+  affected:
+
+  - :any:`type primary` zones configured with :any:`dnssec-policy` but
+    without either :any:`allow-update` or :any:`update-policy`,
+  - :any:`type secondary` zones configured with :any:`dnssec-policy`.
+
+  In these cases please add :namedconf:ref:`inline-signing yes;
+  <inline-signing>` to the individual zone configuration(s). Without
+  applying this change, :iscman:`named` will fail to start. For more
+  details, see
+  https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing
+
+- BIND 9.18 does not support dynamic update forwarding (see
+  :any:`allow-update-forwarding`) in conjuction with zone transfers over
+  TLS (XoT). :gl:`#3512`
+
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
+  be inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the ability to ignore the ``Subject`` field. This
+  should have minimal production-use consequences, as most of the
+  production-ready certificates issued by certificate authorities will
+  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
+  ignored. Only old platforms are affected by this, e.g. those supplied
+  with OpenSSL versions older than 1.1.1. :gl:`#3163`
+
+- ``rndc`` has been updated to use the new BIND network manager API. As
+  the network manager currently has no support for UNIX-domain sockets,
+  those cannot now be used with ``rndc``. This will be addressed in a
+  future release, either by restoring UNIX-domain socket support or by
+  formally declaring them to be obsolete in the control channel.
+  :gl:`#1759`
+
+- Sending NOTIFY messages silently fails when the source port specified
+  in the :any:`notify-source` statement is already in use. This can
+  happen e.g. when multiple servers are configured as NOTIFY targets for
+  a zone and some of them are unresponsive. This issue can be worked
+  around by not specifying the source port for NOTIFY messages in the
+  :any:`notify-source` statement; note that source port configuration is
+  already `deprecated`_ and will be removed altogether in a future
+  release. :gl:`#4002`
+
+.. _deprecated: https://gitlab.isc.org/isc-projects/bind9/-/issues/3781