diff --git a/doc/notes/notes-9.20.14.rst b/doc/notes/notes-9.20.14.rst
index b2e177ebd1..7a44e85bb5 100644
--- a/doc/notes/notes-9.20.14.rst
+++ b/doc/notes/notes-9.20.14.rst
@@ -78,6 +78,18 @@ New Features
 Bug Fixes
 ~~~~~~~~~
 
+- Missing DNSSEC information when CD bit is set in query.
+
+  The RRSIGs for glue records were not being cached correctly for CD=1
+  queries. This has been fixed. :gl:`#5502`
+
+- :option:`rndc sign` during ZSK rollover will now replace signatures.
+
+  When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
+  :option:`rndc sign` command now signs the zone completely with the
+  successor key, replacing all zone signatures from the predecessor key
+  with new ones. :gl:`#5483`
+
 - Use signer name when disabling DNSSEC algorithms.
 
   :any:`disable-algorithms` could cause DNSSEC validation failures when
@@ -89,18 +101,6 @@ Bug Fixes
   the algorithm is disabled for that zone, using deepest match when
   there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
 
-- :option:`rndc sign` during ZSK rollover will now replace signatures.
-
-  When performing a ZSK rollover, if the new DNSKEY is omnipresent, the
-  :option:`rndc sign` command now signs the zone completely with the
-  successor key, replacing all zone signatures from the predecessor key
-  with new ones. :gl:`#5483`
-
-- Missing DNSSEC information when CD bit is set in query.
-
-  The RRSIGs for glue records were not being cached correctly for CD=1
-  queries. This has been fixed. :gl:`#5502`
-
 - Preserve cache when reload fails and reload the server again.
 
   This fixes an issue where failing to reconfigure/reload the server