diff --git a/.gitattributes b/.gitattributes
index 3dac3b0fe6..86b4561c9a 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -7,4 +7,5 @@
 /doc/dev			 export-ignore
 /util/**			 export-ignore
 /util/bindkeys.pl		-export-ignore
+/util/check-make-install.in	-export-ignore
 /util/mksymtbl.pl		-export-ignore
diff --git a/CHANGES b/CHANGES
index a0ceea14bb..19d0f29ade 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,20 +8,21 @@
 
 5367.	[placeholder]
 
+	--- 9.17.0 released ---
+
 5366.	[bug]		Fix a race condition with the keymgr when the same
 			zone plus dnssec-policy is configured in multiple
 			views. [GL #1653]
 
 5365.	[bug]		Algorithm rollover was stuck on submitting DS
 			because keymgr thought it would move to an invalid
-			state.  Fixed by when checking the current key,
-			check it against the desired state, not the existing
-			state. [GL #1626]
+			state.  Fixed by checking the current key against
+			the desired state, not the existing state. [GL #1626]
 
 5364.	[bug]		Algorithm rollover waited too long before introducing
 			zone signatures.  It waited to make sure all signatures
-			were resigned, but when introducing a new algorithm,
-			all signatures are resigned immediately.  Only
+			were regenerated, but when introducing a new algorithm,
+			all signatures are regenerated immediately.  Only
 			add the sign delay if there is a predecessor key.
 			[GL #1625]
 
@@ -53,7 +54,8 @@
 
 5357.	[bug]		Newly added RRSIG records with expiry times before
 			the previous earliest expiry times might not be
-			re-signed in time.  The was a side effect of 5315.
+			re-signed in time.  This was a side effect of 5315.
+			[GL !3137]
 
 5356.	[func]		Update dnssec-policy configuration statements:
 			- Rename "zone-max-ttl" dnssec-policy option to
diff --git a/README.md b/README.md
index 698bb85765..970c846d60 100644
--- a/README.md
+++ b/README.md
@@ -128,7 +128,12 @@ including your patch as an attachment, preferably generated by
 ### <a name="features"/> BIND 9.17 features
 
 BIND 9.17 is the newest development branch of BIND 9. It includes a
-number of changes from BIND 9.16 and earlier releases.
+number of changes from BIND 9.16 and earlier releases. New features include:
+
+* New option "max-ixfr-ratio" to limit the size of outgoing IXFR responses
+  before falling back to full zone transfers.
+* "rndc nta -d" and "rndc secroots" now include "validate-except" entries
+  when listing negative trust anchors.
 
 ### <a name="build"/> Building BIND