Tweak and reword release notes

doc/notes/notes-9.21.8.rst

@@ -15,7 +15,7 @@ Notes for BIND 9.21.8
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- [CVE-2025-40775] Prevent assertion when processing TSIG algorithm.
+- Prevent an assertion failure when processing TSIG algorithm.
 
   DNS messages that included a Transaction Signature (TSIG) containing
   an invalid value in the algorithm field caused :iscman:`named` to
@@ -25,70 +25,81 @@ Security Fixes
 New Features
 ~~~~~~~~~~~~
 
-- Implement tcp-primaries-timeout.
+- Implement configurable TCP timeouts for zone refresh queries.
 
-  The new `tcp-primaries-timeout` configuration option works the same
+  The new :any:`tcp-primaries-timeout` configuration option works the
-  way as the older `tcp-initial-timeout` option, but applies only to the
+  same way as the older :any:`tcp-initial-timeout` option but applies
-  TCP connections made to the primary servers, so that the timeout value
+  only to the TCP connections made to the primary servers, so that the
-  can be set separately for them. By default, it's set to 150, which is
+  timeout value can be set separately for them. The default is
-  15 seconds. :gl:`#3649`
+  150 (15 seconds). :gl:`#3649`
 
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- Use jinja2 templates in system tests.
+- Use Jinja2 templates in system tests.
 
   `python-jinja2` is now required to run system tests. :gl:`#4938`
 
 Bug Fixes
 ~~~~~~~~~
 
-- Fix EDNS yaml output.
+- Fix EDNS YAML output in :iscman:`dig`.
 
-  `dig` was producing invalid YAML when displaying some EDNS options.
+  :iscman:`dig` was producing invalid YAML when displaying some EDNS
-  This has been corrected.
+  options.  This has been corrected.
 
   Several other improvements have been made to the display of EDNS
-  option data: - We now use the correct name for the UPDATE-LEASE
+  option data:
-  option, which was previously displayed as "UL", and split it into
+
-  separate LEASE and LEASE-KEY components in YAML mode. - Human-readable
+    - The correct name is now used for the UPDATE-LEASE option, which
-  durations are now displayed as comments in YAML mode so as not to
+      was previously displayed as ``UL``, and it is split into separate
-  interfere with machine parsing. - KEY-TAG options are now displayed as
+      ``LEASE`` and ``LEASE-KEY`` components in YAML mode.
-  an array of integers in YAML mode. - EDNS COOKIE options are displayed
+
-  as separate CLIENT and SERVER components, and cookie STATUS is a
+    - Human-readable durations are now displayed as comments in YAML
-  retrievable variable in YAML mode. :gl:`#5014`
+      mode so as not to interfere with machine parsing.
+
+    - KEY-TAG options are now displayed as an array of integers in YAML
+      mode.
+
+    - EDNS COOKIE options are displayed as separate ``CLIENT`` and
+      ``SERVER`` components, and cookie STATUS is a retrievable variable
+      in YAML mode.
+
+  :gl:`#5014`
 
 - Return DNS COOKIE and NSID with BADVERS.
 
-  This change allows the client to identify the server that returns the
+  This change allows the client to identify a server that returns a
-  BADVERS and to provide a DNS SERVER COOKIE to be included in the
+  BADVERS response and to provide a DNS SERVER COOKIE to be included in
-  resend of the request. :gl:`#5235`
+  the resent request. :gl:`#5235`
 
-- Disable own memory context for libxml2 on macOS.
+- Disable separate memory context for libxml2 memory allocations on
+  macOS.
 
-  Apple broke custom memory allocation functions in the system-wide
+  As of macOS Sequoia 15.4, custom memory allocation functions are no
-  libxml2 starting with macOS Sequoia 15.4.  Usage of the custom memory
+  longer supported by the system-wide version of libxml2. This prevents
-  allocation functions has been disabled on macOS. :gl:`#5268`
+  tracking libxml2 memory allocations in a separate :iscman:`named`
+  memory context, so the latter has been disabled on macOS; the system
+  allocator is now directly used for libxml2 memory allocations on that
+  operating system. :gl:`#5268`
 
-- `check_private` failed to account for the length byte before the OID.
+- Fix RDATA checks for PRIVATEOID keys.
 
-  In PRIVATEOID keys, the key data begins with a length byte followed
+  In PRIVATEOID keys, the key data begins with a length byte followed by
-  by an ASN.1 object identifier that indicates the cryptographic
+  an ASN.1 object identifier that indicates the cryptographic algorithm
-  algorithm  to use. Previously, the length byte was not accounted for
+  to use. Previously, the length byte was not accounted for when
-  when  checking the contents of keys and signatures, which could have
+  checking the contents of keys and signatures, which could have led to
-  led to interoperability problems with any zones signed using
+  interoperability problems with any zones signed using PRIVATEOID. This
-  PRIVATEOID. This has been fixed. :gl:`#5270`
+  has been fixed. :gl:`#5270`
 
 - Fix a serve-stale issue with a delegated zone.
 
-  When ``stale-answer-client-timeout 0`` option was enabled, it could be
+  Even with :any:`stale-answer-client-timeout` set to ``0``, stale
-  ignored when resolving a zone which is a delegation of an
+  responses were not returned immediately for names in domains delegated
-  authoritative zone belonging to the resolver. This has been fixed.
+  from authoritative zones configured on the resolver. This has been
-  :gl:`#5275`
+  fixed. :gl:`#5275`
 
 - Return the correct NSEC3 records for NXDOMAIN responses.
 
   The wrong NSEC3 records were sometimes returned as proof that the
   QNAME did not exist. This has been fixed. :gl:`#5292`
-
-