CHANGES, release notes

CHANGES

@@ -1,7 +1,9 @@
-5576.	[func]		Initial support for DNS-over-HTTP(S). BIND now
-			includes DNS-over-HTTP(S) layer built on top of nghttp2.
-			Both encrypted and unencrypted HTTP/2 connections
-			are supported. [GL !4566]
+5576.	[experimental]	Initial server-side implementation of DNS-over-HTTPS
+			(DoH). Support for both TLS-encrypted and unencrypted
+			HTTP/2 connections has been added to the network manager
+			and integrated into named. (Note: there is currently no
+			client-side support for DNS-over-HTTPS; this will be
+			added to dig in a future release.) [GL #1144]
 
 5575.	[bug]		When migrating to dnssec-policy, BIND considered keys
 			with the "Inactive" and/or "Delete" timing metadata as

doc/notes/notes-current.rst

@@ -52,12 +52,12 @@ New Features
   an optional ``tls`` option which specifies either a previously configured
   ``tls`` statement or ``ephemeral``. [GL #2392]
 
-- ``named`` now has initial support for DNS-over-HTTP(S). Both
-  encrypted (via TLS) and unencrypted HTTP/2 connections are supported.
-  The latter are mostly there for debugging/troubleshooting
-  purposes and for the means of encryption offloading to third-party
-  software (as might be desirable in some environments to aid in TLS
-  certificates management).  [GL !4566]
+- ``named`` now supports DNS-over-HTTPS (DoH). Both TLS-encrypted and
+  unencrypted HTTP/2 connections are supported (the latter may be used to
+  offload encryption to other software).
+
+  Note that there is no client-side support for HTTPS as yet; this will be
+  added to ``dig`` in a future release. [GL #1144]
 
 Removed Features
 ~~~~~~~~~~~~~~~~