Tweak and reword release notes

doc/notes/notes-current.rst

@@ -20,39 +20,41 @@ Security Fixes
 Known Issues
 ~~~~~~~~~~~~
 
-- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
+- According to :rfc:`8310`, Section 8.1, the ``Subject`` field MUST NOT
-  inspected when verifying a remote certificate while establishing a
+  be inspected when verifying a remote certificate while establishing a
-  DNS-over-TLS connection. Only SubjectAltName must be checked
+  DNS-over-TLS connection. Only ``subjectAltName`` must be checked
   instead. Unfortunately, some quite old versions of cryptographic
-  libraries might lack the functionality to ignore the Subject
+  libraries might lack the ability to ignore the ``Subject`` field. This
-  field. It should have minimal production use consequences, as most
+  should have minimal production-use consequences, as most of the
-  of the production-ready certificates issued by certificate
+  production-ready certificates issued by certificate authorities will
-  authorities will have SubjectAltNames set. In such a case, the
+  have ``subjectAltName`` set. In such cases, the ``Subject`` field is
-  Subject field is ignored. Only old platforms are affected by this,
+  ignored. Only old platforms are affected by this, e.g. those supplied
-  e.g., those supplied with OpenSSL versions older than 1.1.1.
+  with OpenSSL versions older than 1.1.1. :gl:`#3163`
 
 New Features
 ~~~~~~~~~~~~
 
-- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a ``-J`` option to
+- :iscman:`dnssec-verify` and :iscman:`dnssec-signzone` now accept a
-  specify a journal file to read when loading the zone to be verified or
+  ``-J`` option to specify a journal file to read when loading the zone
-  signed. :gl:`#2486`
+  to be verified or signed. :gl:`#2486`
 
-- Add support for remote TLS certificates verification, both to BIND
+- Add support for remote TLS certificate verification, both to
-  and ``dig``, making it possible to implement Strict and Mutual TLS
+  :iscman:`named` and :iscman:`dig`, making it possible to implement
-  authentication, as described in RFC 9103, Section 9.3. :gl:`#3163`
+  Strict and Mutual TLS authentication, as described in :rfc:`9103`,
+  Section 9.3. :gl:`#3163`
 
-- Run RPZ updates on the specialized "offload" threads to reduce the amount
+- Run RPZ updates on the specialized "offload" threads to reduce the
-  of time they block query processing on the main networking threads.  This
+  amount of time they block query processing on the main networking
-  should increase the responsiveness of ``named`` when RPZ updates are being
+  threads. This should increase the responsiveness of :iscman:`named`
-  applied after an RPZ zone has been successfully transfered.  :gl:`#3190`
+  when RPZ updates are being applied after an RPZ zone has been
+  successfully transferred. :gl:`#3190`
 
 Removed Features
 ~~~~~~~~~~~~~~~~
 
 - The ``keep-order-response`` option has been declared obsolete and the
-  functionality has been removed.  :iscman:`named` expects DNS clients to be
+  functionality has been removed. :iscman:`named` expects DNS clients to
-  fully compliant with :rfc:`7766`. :gl:`#3140`
+  be fully compliant with :rfc:`7766`. :gl:`#3140`
 
 Feature Changes
 ~~~~~~~~~~~~~~~