diff --git a/doc/notes/notes-9.20.9.rst b/doc/notes/notes-9.20.9.rst
index 05a6a3807a..52b65ca474 100644
--- a/doc/notes/notes-9.20.9.rst
+++ b/doc/notes/notes-9.20.9.rst
@@ -15,7 +15,7 @@ Notes for BIND 9.20.9
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
+- Prevent an assertion failure when processing TSIG algorithm.
 
   DNS messages that included a Transaction Signature (TSIG) containing
   an invalid value in the algorithm field caused :iscman:`named` to
@@ -25,55 +25,68 @@ Security Fixes
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- Use jinja2 templates in system tests.
+- Use Jinja2 templates in system tests.
 
   `python-jinja2` is now required to run system tests. :gl:`#4938`
 
 Bug Fixes
 ~~~~~~~~~
 
-- Fix EDNS yaml output.
+- Fix EDNS YAML output in :iscman:`dig`.
 
-  `dig` was producing invalid YAML when displaying some EDNS options.
-  This has been corrected.
+  :iscman:`dig` was producing invalid YAML when displaying some EDNS
+  options.  This has been corrected.
 
   Several other improvements have been made to the display of EDNS
-  option data: - We now use the correct name for the UPDATE-LEASE
-  option, which was previously displayed as "UL", and split it into
-  separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
-  durations are now displayed as comments in YAML mode so as not to
-  interfere with machine parsing. - KEY-TAG options are now displayed as
-  an array of integers in YAML mode. - EDNS COOKIE options are displayed
-  as separate CLIENT and SERVER components, and cookie STATUS is a
-  retrievable variable in YAML mode. :gl:`#5014`
+  option data:
+
+    - The correct name is now used for the UPDATE-LEASE option, which
+      was previously displayed as ``UL``, and it is split into separate
+      ``LEASE`` and ``LEASE-KEY`` components in YAML mode.
+
+    - Human-readable durations are now displayed as comments in YAML
+      mode so as not to interfere with machine parsing.
+
+    - KEY-TAG options are now displayed as an array of integers in YAML
+      mode.
+
+    - EDNS COOKIE options are displayed as separate ``CLIENT`` and
+      ``SERVER`` components, and cookie STATUS is a retrievable variable
+      in YAML mode.
+
+  :gl:`#5014`
 
 - Return DNS COOKIE and NSID with BADVERS.
 
-  This change allows the client to identify the server that returns the
-  BADVERS and to provide a DNS SERVER COOKIE to be included in the
-  resend of the request. :gl:`#5235`
+  This change allows the client to identify a server that returns a
+  BADVERS response and to provide a DNS SERVER COOKIE to be included in
+  the resent request. :gl:`#5235`
 
-- Disable own memory context for libxml2 on macOS.
+- Disable separate memory context for libxml2 memory allocations on
+  macOS.
 
-  Apple broke custom memory allocation functions in the system-wide
-  libxml2 starting with macOS Sequoia 15.4.  Usage of the custom memory
-  allocation functions has been disabled on macOS. :gl:`#5268`
+  As of macOS Sequoia 15.4, custom memory allocation functions are no
+  longer supported by the system-wide version of libxml2. This prevents
+  tracking libxml2 memory allocations in a separate :iscman:`named`
+  memory context, so the latter has been disabled on macOS; the system
+  allocator is now directly used for libxml2 memory allocations on that
+  operating system. :gl:`#5268`
 
-- `check_private` failed to account for the length byte before the OID.
+- Fix RDATA checks for PRIVATEOID keys.
 
-  In PRIVATEOID keys, the key data begins with a length byte followed
-  by an ASN.1 object identifier that indicates the cryptographic
-  algorithm  to use. Previously, the length byte was not accounted for
-  when  checking the contents of keys and signatures, which could have
-  led to interoperability problems with any zones signed using
-  PRIVATEOID. This has been fixed. :gl:`#5270`
+  In PRIVATEOID keys, the key data begins with a length byte followed by
+  an ASN.1 object identifier that indicates the cryptographic algorithm
+  to use. Previously, the length byte was not accounted for when
+  checking the contents of keys and signatures, which could have led to
+  interoperability problems with any zones signed using PRIVATEOID. This
+  has been fixed. :gl:`#5270`
 
 - Fix a serve-stale issue with a delegated zone.
 
-  When ``stale-answer-client-timeout 0`` option was enabled, it could be
-  ignored when resolving a zone which is a delegation of an
-  authoritative zone belonging to the resolver. This has been fixed.
-  :gl:`#5275`
+  Even with :any:`stale-answer-client-timeout` set to ``0``, stale
+  responses were not returned immediately for names in domains delegated
+  from authoritative zones configured on the resolver. This has been
+  fixed. :gl:`#5275`
 
 - Revert NSEC3 closest encloser lookup improvements.
 
@@ -81,5 +94,3 @@ Bug Fixes
   were restored in BIND 9.20.8 turned out to cause incorrect NSEC3
   records to be returned in nonexistence proofs and were therefore
   reverted again. :gl:`#5292`
-
-