diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 5ef3fd83b0..1441105b41 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1517,7 +1517,7 @@ abi-check:
     CC: gcc
     CFLAGS: "${CFLAGS_COMMON} -Og"
     EXTRA_CONFIGURE: "--enable-dnstap --with-libidn2"
-    BIND_BASELINE_VERSION: v9_17_6
+    BIND_BASELINE_VERSION: v9_17_7
   script:
     - *configure
     - make -j${BUILD_PARALLEL_JOBS:-1} V=1
diff --git a/CHANGES b/CHANGES
index dbb7f5bcb4..d7d0f3a5d0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -20,51 +20,50 @@
 5534.	[bug]		The synthesised CNAME from a DNAME was incorrectly
 			followed when the QTYPE was CNAME or ANY. [GL #2280]
 
-5533.	[func]		Add "stale-refresh-time" option, a time window that
-			starts after a failed lookup, during which stale rrset
-			will be served directly from cache before a new
-			attempt to refresh it is made. [GL #2066]
+	--- 9.17.7 released ---
+
+5533.	[func]		Add the "stale-refresh-time" option, a time window that
+			starts after a failed lookup, during which a stale RRset
+			is served directly from cache before a new attempt to
+			refresh it is made. [GL #2066]
 
 5532.	[cleanup]	Unused header files were removed:
 			bin/rndc/include/rndc/os.h, lib/isc/timer_p.h,
 			lib/isccfg/include/isccfg/dnsconf.h and code related
 			to those files. [GL #1913]
 
-5531.	[func]		Add a netmgr TLS layer, enabling server-side DoT
-			support (not yet available), and client-side DoT
-			support in dig with "dig +tls". [GL #1840]
+5531.	[func]		Add support for DNS over TLS (DoT) to dig and named.
+			[GL #1840]
 
-5530.	[bug]		DNSTAP did not capture responses to forwarded
-			UPDATE requests. [GL #2252]
+5530.	[bug]		dnstap did not capture responses to forwarded UPDATE
+			requests. [GL #2252]
 
-5529.	[func]		The network manager API is now used by named
-			to send zone transfer requests. [GL #2016]
+5529.	[func]		The network manager API is now used by named to send
+			zone transfer requests. [GL #2016]
 
-5528.	[func]		Convert "dig", "host" and "nslookup" to use the
-			network manager. As a side effect of this change,
-			"dig +unexpected" no longer works, and has been
-			disabled. [GL #2140]
+5528.	[func]		Convert dig, host, and nslookup to use the network
+			manager API. As a side effect of this change, "dig
+			+unexpected" no longer works, and has been disabled.
+			[GL #2140]
 
-5527.	[bug]		There was a NULL pointer dereference if the creation
-			of the fetch to determine if a negative trust anchor
-			was still valid failed. [GL #2244]
+5527.	[bug]		A NULL pointer dereference occurred when creating an NTA
+			recheck query failed. [GL #2244]
 
 5526.	[bug]		Fix a race/NULL dereference in TCPDNS read. [GL #2227]
 
 5525.	[placeholder]
 
-5524.	[func]		Added functionality to the network manager to
-			support outgoing DNS queries in addition to
-			incoming ones. [GL #2235]
+5524.	[func]		Added functionality to the network manager to support
+			outgoing DNS queries in addition to incoming ones.
+			[GL #2235]
 
-5523.	[bug]		The initial lookup of a zone transitioning to/from
-			the signed state could fail if the DNSKEY RRset was
-			not found.  Subsequent lookups would succeed.
-			[GL #2236]
+5523.	[bug]		The initial lookup in a zone transitioning to/from a
+			signed state could fail if the DNSKEY RRset was not
+			found. [GL #2236]
 
-5522.	[bug]		Fix a race/NULL dereference in TCPDNS send. [GL #2227]
+5522.	[bug]		Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
 
-5521.	[func]		All use of libltdl was dropped.  libuv's shared library
+5521.	[func]		All use of libltdl was dropped. libuv's shared library
 			handling interface is now used instead. [GL !4278]
 
 5520.	[bug]		Fixed a number of shutdown races, reference counting
@@ -75,12 +74,11 @@
 			lib/dns/portlist.c, lib/isc/bufferlist.c, and code
 			related to those files. [GL #2060]
 
-5518.	[bug]		Fix stub zone not transferring nameserver addresses
-			from masters configured with 'minimal-responses yes'.
-			[GL #1736]
+5518.	[bug]		Stub zones now work correctly with primary servers using
+			"minimal-responses yes". [GL #1736]
 
-5517.	[bug]		Handle 'UV_EOF' differently and don't contribute it to
-			the RECVFAIL statistic count. [GL #2208]
+5517.	[bug]		Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
+			[GL #2208]
 
 	--- 9.17.6 released ---
 
diff --git a/README.md b/README.md
index 3921107923..2af04d5502 100644
--- a/README.md
+++ b/README.md
@@ -162,8 +162,7 @@ To build on a Unix or Linux system, use:
 		$ ./configure
 		$ make
 
-If you're planning on making changes to the BIND 9 source, you should run
-`make depend`.  If you're using Emacs, you might find `make tags` helpful.
+If you're using Emacs, you might find `make tags` helpful.
 
 Several environment variables, which can be set before running `configure`,
 affect compilation.  Significant ones are:
diff --git a/configure.ac b/configure.ac
index 47459bc118..45472474ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -14,7 +14,7 @@
 #
 m4_define([bind_VERSION_MAJOR], 9)dnl
 m4_define([bind_VERSION_MINOR], 17)dnl
-m4_define([bind_VERSION_PATCH], 6)dnl
+m4_define([bind_VERSION_PATCH], 7)dnl
 m4_define([bind_VERSION_EXTRA], )dnl
 m4_define([bind_DESCRIPTION], [(Development Release)])dnl
 m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index f524e02367..d28efad257 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -53,6 +53,7 @@ information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.7.rst
 .. include:: ../notes/notes-9.17.6.rst
 .. include:: ../notes/notes-9.17.5.rst
 .. include:: ../notes/notes-9.17.4.rst
diff --git a/doc/notes/notes-9.17.7.rst b/doc/notes/notes-9.17.7.rst
new file mode 100644
index 0000000000..ce7d5343f7
--- /dev/null
+++ b/doc/notes/notes-9.17.7.rst
@@ -0,0 +1,64 @@
+.. 
+   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+   
+   This Source Code Form is subject to the terms of the Mozilla Public
+   License, v. 2.0. If a copy of the MPL was not distributed with this
+   file, you can obtain one at https://mozilla.org/MPL/2.0/.
+   
+   See the COPYRIGHT file distributed with this work for additional
+   information regarding copyright ownership.
+
+Notes for BIND 9.17.7
+---------------------
+
+New Features
+~~~~~~~~~~~~
+
+- Support for DNS over TLS (DoT) has been added: the ``dig`` tool is now
+  able to send DoT queries (``+tls`` option) and ``named`` can handle
+  DoT queries (``listen-on tls ...`` option). ``named`` can use either a
+  certificate provided by the user or an ephemeral certificate generated
+  automatically upon startup. [GL #1840]
+
+- A new configuration option, ``stale-refresh-time``, has been
+  introduced. It allows a stale RRset to be served directly from cache
+  for a period of time after a failed lookup, before a new attempt to
+  refresh it is made. [GL #2066]
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The ``dig``, ``host``, and ``nslookup`` tools have been converted to
+  use the new network manager API rather than the older ISC socket API.
+
+  As a side effect of this change, the ``dig +unexpected`` option no
+  longer works. This could previously be used to diagnose broken servers
+  or network configurations by listening for replies from servers other
+  than the one that was queried. With the new API, such answers are
+  filtered before they ever reach ``dig``, so the option has been
+  removed. [GL #2140]
+
+- The network manager API is now used by ``named`` to send zone transfer
+  requests. [GL #2016]
+
+Bug Fixes
+~~~~~~~~~
+
+- ``named`` could crash with an assertion failure if a TCP connection
+  were closed while a request was still being processed. [GL #2227]
+
+- ``named`` acting as a resolver could incorrectly treat signed zones
+  with no DS record at the parent as bogus. Such zones should be treated
+  as insecure. This has been fixed. [GL #2236]
+
+- After a Negative Trust Anchor (NTA) is added, BIND performs periodic
+  checks to see if it is still necessary. If BIND encountered a failure
+  while creating a query to perform such a check, it attempted to
+  dereference a ``NULL`` pointer, resulting in a crash. [GL #2244]
+
+- A problem obtaining glue records could prevent a stub zone from
+  functioning properly, if the authoritative server for the zone were
+  configured for minimal responses. [GL #1736]
+
+- ``UV_EOF`` is no longer treated as a ``TCP4RecvErr`` or a
+  ``TCP6RecvErr``. [GL #2208]
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 0823a0c490..3fb7479cf9 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -8,7 +8,7 @@
    See the COPYRIGHT file distributed with this work for additional
    information regarding copyright ownership.
 
-Notes for BIND 9.17.6
+Notes for BIND 9.17.8
 ---------------------
 
 Security Fixes
@@ -24,10 +24,6 @@ Known Issues
 New Features
 ~~~~~~~~~~~~
 
-- A new configuration option ``stale-refresh-time`` has been introduced, it
-  allows stale RRset to be served directly from cache for a period of time
-  after a failed lookup, before a new attempt to refresh it is made. [GL #2066]
-
 - ``dig`` can now report the DNS64 prefixes in use (``+dns64prefix``).
   This is useful when the host on which ``dig`` is run is behind an
   IPv6-only link, using DNS64/NAT64 or 464XLAT for IPv4aaS (IPv4 as a
@@ -41,25 +37,6 @@ Removed Features
 Feature Changes
 ~~~~~~~~~~~~~~~
 
-- The network manager API is now used by ``named`` to send zone transfer
-  requests. [GL #2016]
-
-- The ``dig``, ``host``, and ``nslookup`` tools have been converted to
-  use the new network manager API rather than the older ISC socket API.
-
-  As a side effect of this change, the ``dig +unexpected`` option no longer
-  works.  This could previously be used for diagnosing broken servers or
-  network configurations by listening for replies from servers other than
-  the one that was queried.  With the new API such answers are filtered
-  before they ever reach ``dig``.  Consequently, the option has been
-  removed. [GL #2140]
-
-- Support for DNS over TLS (DoT) has been added to the network manager API, and
-  the support for DoT has been added to the ``dig`` tool and support for
-  listening on TLS port has been added to ``named``.  ``named`` could use a
-  certificate provided by the user or it can generate an ephemeral certificate
-  on startup of the daemon.
-
 - Add NSEC3 support for zones that manage their DNSSEC with the `dnssec-policy`
   configuration. A new option 'nsec3param' can be used to set the desired
   NSEC3 parameters, and will detect collisions when resalting. [GL #1620].
@@ -67,11 +44,5 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- Handle `UV_EOF` differently such that it is not treated as a `TCP4RecvErr` or
-  `TCP6RecvErr`. [GL #2208]
-
-- ``named`` could crash with an assertion failure if a TCP connection is closed
-  while the request is still processing. [GL #2227]
-
 - The synthesised CNAME from a DNAME was incorrectly followed when the QTYPE
   was CNAME or ANY. [GL #2280]
diff --git a/lib/bind9/api b/lib/bind9/api
index 334285afed..399abc2379 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -12,5 +12,5 @@
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
 LIBINTERFACE = 1701
-LIBREVISION = 2
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index 2a766927f2..f55bd9eef6 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1706
+LIBINTERFACE = 1707
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index 7742ab7a90..2a766927f2 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1705
+LIBINTERFACE = 1706
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccc/api b/lib/isccc/api
index 7a51f60de3..c1c1be9b85 100644
--- a/lib/isccc/api
+++ b/lib/isccc/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1702
-LIBREVISION = 1
+LIBINTERFACE = 1703
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 7a51f60de3..0f6b1b19ee 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -12,5 +12,5 @@
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
 LIBINTERFACE = 1702
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/ns/api b/lib/ns/api
index 2a38956a54..7742ab7a90 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -11,6 +11,6 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 # 9.17/9.18: 1700-1899
-LIBINTERFACE = 1704
+LIBINTERFACE = 1705
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/util/copyrights b/util/copyrights
index 065652da30..5e15b78c9d 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1252,6 +1252,7 @@
 ./doc/notes/notes-9.17.4.rst			RST	2020
 ./doc/notes/notes-9.17.5.rst			RST	2020
 ./doc/notes/notes-9.17.6.rst			RST	2020
+./doc/notes/notes-9.17.7.rst			RST	2020
 ./doc/notes/notes-current.rst			RST	2020
 ./docutil/HTML_COPYRIGHT			X	2001,2004,2016,2018,2019,2020
 ./docutil/MAN_COPYRIGHT				X	2001,2004,2016,2018,2019,2020