diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 081b7b8c95..9153ead074 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2018-12-07
+.\"      Date: 2019-02-06
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2018\-12\-07" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2019\-02\-06" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 0f7b74e7bc..76a9898b60 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -13,7 +13,7 @@
 
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2018-12-07</date>
+    <date>2019-02-06</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
diff --git a/configure b/configure
index c34291ed3e..2d8691ed0b 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for BIND 9.13.
+# Generated by GNU Autoconf 2.69 for BIND 9.14.
 #
 # Report bugs to <info@isc.org>.
 #
@@ -589,8 +589,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='BIND'
 PACKAGE_TARNAME='bind'
-PACKAGE_VERSION='9.13'
-PACKAGE_STRING='BIND 9.13'
+PACKAGE_VERSION='9.14'
+PACKAGE_STRING='BIND 9.14'
 PACKAGE_BUGREPORT='info@isc.org'
 PACKAGE_URL='https://www.isc.org/downloads/BIND/'
 
@@ -1501,7 +1501,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures BIND 9.13 to adapt to many kinds of systems.
+\`configure' configures BIND 9.14 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1566,7 +1566,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of BIND 9.13:";;
+     short | recursive ) echo "Configuration of BIND 9.14:";;
    esac
   cat <<\_ACEOF
 
@@ -1770,7 +1770,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-BIND configure 9.13
+BIND configure 9.14
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2193,7 +2193,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by BIND $as_me 9.13, which was
+It was created by BIND $as_me 9.14, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -21995,7 +21995,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by BIND $as_me 9.13, which was
+This file was extended by BIND $as_me 9.14, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22062,7 +22062,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-BIND config.status 9.13
+BIND config.status 9.14
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 66ed40f1d1..16daffb8f0 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -75,7 +75,7 @@
         <acronym class="acronym">BIND</acronym> version 9 software package for
         system administrators.
       </p>
-      <p>This version of the manual corresponds to BIND version 9.13.</p>
+      <p>This version of the manual corresponds to BIND version 9.14.</p>
     </div>
 
     <div class="section">
@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index f71276c6ca..4be2bfdcde 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 05adec1bc1..080a056b5c 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 980b12bbb5..5903cd5bda 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 83da570b48..b7e2f96e72 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14831,6 +14831,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index cf036f245c..f597bde80b 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 3cf00e6bd7..d83907eba4 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 3a2a872d18..c4590d52c2 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,17 +36,15 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.7</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0rc1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@@ -55,17 +53,22 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.7</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.0rc1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
     <p>
-      BIND 9.13 is an unstable development release of BIND.
-      This document summarizes new features and functional changes that
-      have been introduced on this branch.  With each development release
-      leading up to the stable BIND 9.14 release, this document will be
-      updated with additional features added and bugs fixed.
+      BIND 9.14.0 is the first release of a new stable branch of BIND.
+      This document summarizes new features and functional changes
+      that have been introduced, as well as features that have been
+      deprecated or removed, since the last stable branch, 9.12.
+    </p>
+<p>
+    </p>
+<p>
+      Please see the file <code class="filename">CHANGES</code> for a more
+      detailed list of changes and bug fixes.
     </p>
   </div>
 
@@ -73,23 +76,11 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
     <p>
-      Prior to BIND 9.13, new feature development releases were tagged
-      as "alpha" and "beta", leading up to the first stable release
-      for a given development branch, which always ended in ".0".
-    </p>
-    <p>
-      Now, however, BIND has adopted the "odd-unstable/even-stable"
-      release numbering convention. There will be no "alpha" or "beta"
-      releases in the 9.13 branch, only increasing version numbers.
-      So, for example, what would previously have been called 9.13.0a1,
-      9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
-      9.13.1, 9.13.2, etc.
-    </p>
-    <p>
-      The first stable release from this development branch will be
-      renamed as 9.14.0. Thereafter, maintenance releases will continue
-      on the 9.14 branch, while unstable feature development proceeds in
-      9.15.
+      As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+      release numbering convention.  BIND 9.14 contains new features added
+      during the BIND 9.13 development process. Henceforth, the 9.14 branch
+      will be limited to bug fixes and new feature development will proceed
+      in the unstable 9.15 branch, and so forth.
     </p>
   </div>
 
@@ -97,12 +88,15 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
     <p>
-      BIND 9.13 has undergone substantial code refactoring and cleanup,
-      and some very old code has been removed that was needed to support
-      legacy platforms which are no longer supported by their vendors
-      and for which ISC is no longer able to perform quality assurance
-      testing.  Specifically, workarounds for old versions of UnixWare,
-      BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
+      Since 9.12, BIND has undergone substantial code refactoring and
+      cleanup, and some very old code has been removed that was needed
+      to support legacy platforms which are no longer supported by their
+      vendors and for which ISC is no longer able to perform quality
+      assurance testing.  Specifically, workarounds for old versions of
+      UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been
+      removed.
+    </p>
+    <p>
       On UNIX-like systems, BIND now requires support for POSIX.1c
       threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
       IPv6 (RFC 3542), and standard atomic operations provided by the
@@ -117,7 +111,7 @@
       for systems that are still supported by their respective vendors.
     </p>
     <p>
-      As of BIND 9.13, the BIND development team has also made cryptography
+      As of BIND 9.14, the BIND development team has also made cryptography
       (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
       OpenSSL cryptography library must be available for the target
       platform.  A PKCS#11 provider can be used instead for Public Key
@@ -141,83 +135,6 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-          There was a long-existing flaw in the documentation for
-          <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
-          <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
-          rules in <span class="command"><strong>update-policy</strong></span> statements.  Though
-          the policies worked as intended, operators who configured their
-          servers according to the misleading documentation may have
-          thought zone updates were more restricted than they were;
-          users of these rule types are advised to review the documentation
-          and correct their configurations if necessary.  New rule types
-          matching the previously documented behavior will be introduced
-          in a future maintenance release. [GL !708]
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
-	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash during recursive processing
-	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
-	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Code change #4964, intended to prevent double signatures
-	  when deleting an inactive zone DNSKEY in some situations,
-	  introduced a new problem during zone processing in which
-	  some delegation glue RRsets are incorrectly identified
-	  as needing RRSIGs, which are then created for them using
-	  the current active ZSK for the zone. In some, but not all
-	  cases, the newly-signed RRsets are added to the zone's
-	  NSEC/NSEC3 chain, but incompletely -- this can result in
-	  a broken chain, affecting validation of proof of nonexistence
-	  for records in the zone. [GL #771]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
-	  security root with <span class="command"><strong>managed-keys</strong></span> and the
-	  authoritative zone rolled the key to an algorithm not supported
-	  by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> leaked memory when processing a
-	  request with multiple Key Tag EDNS options present. ISC
-	  would like to thank Toshifumi Sakaguchi for bringing this
-	  to our attention.  This flaw is disclosed in CVE-2018-5744.
-	  [GL #772]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone transfer controls for writable DLZ zones were not
-	  effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
-	  not being called for such zones. This flaw is disclosed in
-	  CVE-2019-6465. [GL #790]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
@@ -231,15 +148,11 @@
       </li>
 <li class="listitem">
 	<p>
-	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
-	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
-	  of a zone's contents without acting as an authority for the
-	  zone. A zone must be fully validated against an active trust
-	  anchor before it can be used as a mirror zone. DNS responses
-	  from mirror zones do not set the AA bit ("authoritative answer"),
-	  but do set the AD bit ("authenticated data"). This feature is
-	  meant to facilitate deployment of a local copy of the root zone,
-	  as described in RFC 7706. [GL #33]
+	  Support for QNAME minimization was added and enabled by default
+	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+	  to normal resolution if the remote server returns something
+	  unexpected during the query minimization process. This default
+	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
 	</p>
       </li>
 <li class="listitem">
@@ -255,6 +168,19 @@
 	  as further plugins are implemented. [GL #15]
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+	  of a zone's contents without acting as an authority for the
+	  zone. A zone must be fully validated against an active trust
+	  anchor before it can be used as a mirror zone. DNS responses
+	  from mirror zones do not set the AA bit ("authoritative answer"),
+	  but do set the AD bit ("authenticated data"). This feature is
+	  meant to facilitate deployment of a local copy of the root zone,
+	  as described in RFC 7706. [GL #33]
+	</p>
+      </li>
 <li class="listitem">
 	<p>
 	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
@@ -281,15 +207,6 @@
 	  signatures covering DNSKEY RRsets. [GL #145]
 	</p>
       </li>
-<li class="listitem">
-	<p>
-	  Support for QNAME minimization was added and enabled by default
-	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
-	  to normal resolution if the remote server returns something
-	  unexpected during the query minimization process. This default
-	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
-	</p>
-      </li>
 <li class="listitem">
 	<p>
 	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
@@ -344,6 +261,22 @@
           configuration is being reloaded.
         </p>
       </li>
+<li class="listitem">
+	<p>
+	  The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
+	  <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
+	  returning a DNS COOKIE option to a client, even if such an
+	  option was present in the request.  This is only intended as
+	  a temporary measure, for use when <span class="command"><strong>named</strong></span>
+	  shares an IP address with other servers that do not yet
+	  support DNS COOKIE.  A mismatch between servers on the same
+	  address is not expected to cause operational problems, but the
+	  option to disable COOKIE responses so that all servers have the
+	  same behavior is provided out of an abundance of caution.
+	  DNS COOKIE is an important security mechanism, and this option
+	  should not be used to disable it unless absolutely necessary.
+	</p>
+      </li>
 </ul></div>
   </div>
 
@@ -488,51 +421,43 @@
       </li>
 <li class="listitem">
 	<p>
-	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
-	  removed from BIND as the algorithm has been superseded by
-	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
-	  deployments.  BIND will neither create new DNSSEC keys,
-	  signatures and digest, nor it will validate them.
+	  Support for the RSAMD5 algorithm has been removed freom BIND as
+	  the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
+	  in RFC6725, the security of the MD5 algorithm has been compromised,
+	  and its usage is considered harmful.
 	</p>
       </li>
 <li class="listitem">
 	<p>
-	  Add the ability to not return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned
-	  add 'answer-cookie no;' to named.conf. [GL #173]
-	</p>
-	<p>
-	  <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
-	  measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
-	  with other servers that do not yet support DNS COOKIE.  A mismatch
-	  between servers on the same address is not expected to cause
-	  operational problems, but the option to disable COOKIE responses so
-	  that all servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security mechanism,
-	  and should not be disabled unless absolutely necessary.
-	</p>
-	<p>
-	  Remove support for silently ignoring 'no-change' deltas from
-	  BIND 8 when processing an IXFR stream.  'no-change' deltas
-	  will now trigger a fallback to AXFR as the recovery mechanism.
-	</p>
-	<p>
-	  BIND 9 will no longer build on platforms that doesn't have
-	  proper IPv6 support.  BIND 9 now also requires non-broken
-	  POSIX-compatible pthread support.  Such platforms are
-	  usually long after their end-of-life date and they are
-	  neither developed nor supported by their respective vendors.
+	  Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
+	  removed from BIND, as the algorithm has been superseded by
+	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
+	  deployments.  BIND will neither create new DNSSEC keys,
+	  signatures and digests, nor it will validate them.
 	</p>
+      </li>
+<li class="listitem">
 	<p>
 	  Support for DSA and DSA-NSEC3-SHA1 algorithms has been
 	  removed from BIND as the DSA key length is limited to 1024
 	  bits and this is not considered secure enough.
 	</p>
+      </li>
+<li class="listitem">
 	<p>
-	  Support for RSAMD5 algorithm has been removed freom BIND as the usage
-	  of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
-	  the security of MD5 algorithm has been compromised and the its usage
-	  is considered harmful.
+	  <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
+	  when processing an IXFR stream.  This had previously been
+	  permitted for compatibility with BIND 8, but now "no-change"
+	  deltas will trigger a fallback to AXFR as the recovery mechanism.
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  BIND 9 will no longer build on platforms that don't have
+	  proper IPv6 support.  BIND 9 now also requires POSIX-compatible
+	  pthread support.  Most of the platforms that lack these featuers
+	  are long past their end-of-lifew dates, and they are neither
+	  developed nor supported by their respective vendors.
 	</p>
       </li>
 <li class="listitem">
@@ -556,7 +481,7 @@
 	<p>
 	  BIND will now always use the best CSPRNG (cryptographically-secure
 	  pseudo-random number generator) available on the platform where
-	  it is compiled.  It will use <span class="command"><strong>arc4random()</strong></span>
+	  it is compiled.  It will use the <span class="command"><strong>arc4random()</strong></span>
 	  family of functions on BSD operating systems,
 	  <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
 	  <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
@@ -687,64 +612,6 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-          Running <span class="command"><strong>rndc reconfig</strong></span> could cause
-          <span class="command"><strong>inline-signing</strong></span> zones to stop signing.
-	  [GL #439]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
-          Reloading all zones caused zone maintenance to stop for
-          <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
-          Signatures loaded from the journal for the signed version
-          of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
-	  for refresh. [GL #482]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
-          A referral response with a non-empty ANSWER section was
-          incorrectly treated as an error; this caused certain domains
-          to be non-resolvable. [GL #390]
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  When a negative trust anchor was added to multiple views
-	  using <span class="command"><strong>rndc nta</strong></span>, the text returned via
-	  <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
-	  first line, making it appear that only one NTA had been
-	  added. This has been fixed. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The view name is now included in the output of
-	  <span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
-	  other options. [GL !816]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
     <p>
       BIND is open source software licenced under the terms of the Mozilla
@@ -770,11 +637,6 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      BIND 9.13 is an unstable development branch. When its development
-      is complete, it will be renamed to BIND 9.14, which will be a
-      stable branch.
-    </p>
     <p>
       The end of life date for BIND 9.14 has not yet been determined.
       For those needing long term support, the current Extended Support
@@ -815,6 +677,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 0d288497fb..671a4ff706 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index c76e6884c1..8698aa7aab 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 8b8eacf8dd..885f1f2e51 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index f5ea578f49..5176ec6d7b 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index f34ead3623..6db7bc6e66 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.7</p></div>
+<div><p class="releaseinfo">BIND Version 9.14.0rc1</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -242,17 +242,15 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.7</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.0rc1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_platforms">Supported Platforms</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_security">Security Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_features">New Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_removed">Removed Features</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_changes">Feature Changes</a></span></dt>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_bugs">Bug Fixes</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_license">License</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#end_of_life">End of Life</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_thanks">Thank You</a></span></dt>
@@ -440,6 +438,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 6f09188b0f..451cbaeb5d 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 159bc6a018..59f0173fc4 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index ddfb71177e..a65a0ab83f 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index e428a34cd0..4aebed669a 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 4c91a19399..5b2317a786 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1151,6 +1151,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index 716fd08348..6a621d55a1 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index f995dd1dbb..144fd81847 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index c4c41993a9..1fce0a0580 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index ed6f31b787..7e5cbf0507 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -352,6 +352,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index 185e799de0..a67ab2643d 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 10b2d7caad..60f67a8597 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index b90a92e595..77ecef353a 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -568,6 +568,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index b7f030a4cf..71b7edfceb 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index e44bac51dd..f8f1160730 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 1c632d4305..6d8c6ec8c2 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 6db49ecb3b..dd9ceab740 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -701,6 +701,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index c305a03942..839019fc84 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index b913758304..f932c4ebd4 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html
index 46c7b10955..eea3f1254a 100644
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 60d37f42a0..b7e59211de 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index 6960d7246b..b50854adbd 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -604,6 +604,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 385cb1274a..902437f2cb 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -208,6 +208,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index dbb4ce40d0..1a92039591 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 5a84d13d8a..a9e8fa344f 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index 2b29a17eb7..df46eaff2a 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 5431bba8ab..4628d1fedb 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 7358cfc9fb..b4c88dcb7d 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -1073,6 +1073,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 5daf25a404..64c1fec589 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 01beacced7..2f9a155623 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 538e1540d0..137a160e36 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index eef7156966..366d56d782 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index a6793e1136..8fd354e8da 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index c6b50c53a8..38d6ea9d78 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index ba0ca52634..97078de259 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 42caef99f0..04e7bf6126 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index be4ec4331d..2c67c0d42a 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 1583c9e6cd..25aba32d88 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 2aefe33c06..0d4dade17c 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1024,6 +1024,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.7 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0rc1 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index d52d68c194..d8798a0329 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,17 +15,22 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.13.7</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.14.0rc1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
     <p>
-      BIND 9.13 is an unstable development release of BIND.
-      This document summarizes new features and functional changes that
-      have been introduced on this branch.  With each development release
-      leading up to the stable BIND 9.14 release, this document will be
-      updated with additional features added and bugs fixed.
+      BIND 9.14.0 is the first release of a new stable branch of BIND.
+      This document summarizes new features and functional changes
+      that have been introduced, as well as features that have been
+      deprecated or removed, since the last stable branch, 9.12.
+    </p>
+<p>
+    </p>
+<p>
+      Please see the file <code class="filename">CHANGES</code> for a more
+      detailed list of changes and bug fixes.
     </p>
   </div>
 
@@ -33,23 +38,11 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
     <p>
-      Prior to BIND 9.13, new feature development releases were tagged
-      as "alpha" and "beta", leading up to the first stable release
-      for a given development branch, which always ended in ".0".
-    </p>
-    <p>
-      Now, however, BIND has adopted the "odd-unstable/even-stable"
-      release numbering convention. There will be no "alpha" or "beta"
-      releases in the 9.13 branch, only increasing version numbers.
-      So, for example, what would previously have been called 9.13.0a1,
-      9.13.0a2, 9.13.0b1, and so on, will instead be called 9.13.0,
-      9.13.1, 9.13.2, etc.
-    </p>
-    <p>
-      The first stable release from this development branch will be
-      renamed as 9.14.0. Thereafter, maintenance releases will continue
-      on the 9.14 branch, while unstable feature development proceeds in
-      9.15.
+      As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+      release numbering convention.  BIND 9.14 contains new features added
+      during the BIND 9.13 development process. Henceforth, the 9.14 branch
+      will be limited to bug fixes and new feature development will proceed
+      in the unstable 9.15 branch, and so forth.
     </p>
   </div>
 
@@ -57,12 +50,15 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
     <p>
-      BIND 9.13 has undergone substantial code refactoring and cleanup,
-      and some very old code has been removed that was needed to support
-      legacy platforms which are no longer supported by their vendors
-      and for which ISC is no longer able to perform quality assurance
-      testing.  Specifically, workarounds for old versions of UnixWare,
-      BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been removed.
+      Since 9.12, BIND has undergone substantial code refactoring and
+      cleanup, and some very old code has been removed that was needed
+      to support legacy platforms which are no longer supported by their
+      vendors and for which ISC is no longer able to perform quality
+      assurance testing.  Specifically, workarounds for old versions of
+      UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster and IRIX have been
+      removed.
+    </p>
+    <p>
       On UNIX-like systems, BIND now requires support for POSIX.1c
       threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
       IPv6 (RFC 3542), and standard atomic operations provided by the
@@ -77,7 +73,7 @@
       for systems that are still supported by their respective vendors.
     </p>
     <p>
-      As of BIND 9.13, the BIND development team has also made cryptography
+      As of BIND 9.14, the BIND development team has also made cryptography
       (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
       OpenSSL cryptography library must be available for the target
       platform.  A PKCS#11 provider can be used instead for Public Key
@@ -101,83 +97,6 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-          There was a long-existing flaw in the documentation for
-          <span class="command"><strong>ms-self</strong></span>, <span class="command"><strong>krb5-self</strong></span>,
-          <span class="command"><strong>ms-subdomain</strong></span>, and <span class="command"><strong>krb5-subdomain</strong></span>
-          rules in <span class="command"><strong>update-policy</strong></span> statements.  Though
-          the policies worked as intended, operators who configured their
-          servers according to the misleading documentation may have
-          thought zone updates were more restricted than they were;
-          users of these rule types are advised to review the documentation
-          and correct their configurations if necessary.  New rule types
-          matching the previously documented behavior will be introduced
-          in a future maintenance release. [GL !708]
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
-	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash during recursive processing
-	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
-	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Code change #4964, intended to prevent double signatures
-	  when deleting an inactive zone DNSKEY in some situations,
-	  introduced a new problem during zone processing in which
-	  some delegation glue RRsets are incorrectly identified
-	  as needing RRSIGs, which are then created for them using
-	  the current active ZSK for the zone. In some, but not all
-	  cases, the newly-signed RRsets are added to the zone's
-	  NSEC/NSEC3 chain, but incompletely -- this can result in
-	  a broken chain, affecting validation of proof of nonexistence
-	  for records in the zone. [GL #771]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
-	  security root with <span class="command"><strong>managed-keys</strong></span> and the
-	  authoritative zone rolled the key to an algorithm not supported
-	  by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> leaked memory when processing a
-	  request with multiple Key Tag EDNS options present. ISC
-	  would like to thank Toshifumi Sakaguchi for bringing this
-	  to our attention.  This flaw is disclosed in CVE-2018-5744.
-	  [GL #772]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone transfer controls for writable DLZ zones were not
-	  effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
-	  not being called for such zones. This flaw is disclosed in
-	  CVE-2019-6465. [GL #790]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
@@ -191,15 +110,11 @@
       </li>
 <li class="listitem">
 	<p>
-	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
-	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
-	  of a zone's contents without acting as an authority for the
-	  zone. A zone must be fully validated against an active trust
-	  anchor before it can be used as a mirror zone. DNS responses
-	  from mirror zones do not set the AA bit ("authoritative answer"),
-	  but do set the AD bit ("authenticated data"). This feature is
-	  meant to facilitate deployment of a local copy of the root zone,
-	  as described in RFC 7706. [GL #33]
+	  Support for QNAME minimization was added and enabled by default
+	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+	  to normal resolution if the remote server returns something
+	  unexpected during the query minimization process. This default
+	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
 	</p>
       </li>
 <li class="listitem">
@@ -215,6 +130,19 @@
 	  as further plugins are implemented. [GL #15]
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+	  of a zone's contents without acting as an authority for the
+	  zone. A zone must be fully validated against an active trust
+	  anchor before it can be used as a mirror zone. DNS responses
+	  from mirror zones do not set the AA bit ("authoritative answer"),
+	  but do set the AD bit ("authenticated data"). This feature is
+	  meant to facilitate deployment of a local copy of the root zone,
+	  as described in RFC 7706. [GL #33]
+	</p>
+      </li>
 <li class="listitem">
 	<p>
 	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
@@ -241,15 +169,6 @@
 	  signatures covering DNSKEY RRsets. [GL #145]
 	</p>
       </li>
-<li class="listitem">
-	<p>
-	  Support for QNAME minimization was added and enabled by default
-	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
-	  to normal resolution if the remote server returns something
-	  unexpected during the query minimization process. This default
-	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
-	</p>
-      </li>
 <li class="listitem">
 	<p>
 	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
@@ -304,6 +223,22 @@
           configuration is being reloaded.
         </p>
       </li>
+<li class="listitem">
+	<p>
+	  The new <span class="command"><strong>answer-cookie</strong></span> option, if set to
+	  <code class="literal">no</code>, prevents <span class="command"><strong>named</strong></span> from
+	  returning a DNS COOKIE option to a client, even if such an
+	  option was present in the request.  This is only intended as
+	  a temporary measure, for use when <span class="command"><strong>named</strong></span>
+	  shares an IP address with other servers that do not yet
+	  support DNS COOKIE.  A mismatch between servers on the same
+	  address is not expected to cause operational problems, but the
+	  option to disable COOKIE responses so that all servers have the
+	  same behavior is provided out of an abundance of caution.
+	  DNS COOKIE is an important security mechanism, and this option
+	  should not be used to disable it unless absolutely necessary.
+	</p>
+      </li>
 </ul></div>
   </div>
 
@@ -448,51 +383,43 @@
       </li>
 <li class="listitem">
 	<p>
-	  Support for ECC-GOST (GOST R 34.11-94) algorithm has been
-	  removed from BIND as the algorithm has been superseded by
-	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
-	  deployments.  BIND will neither create new DNSSEC keys,
-	  signatures and digest, nor it will validate them.
+	  Support for the RSAMD5 algorithm has been removed freom BIND as
+	  the usage of the RSAMD5 algorithm for DNSSEC has been deprecated
+	  in RFC6725, the security of the MD5 algorithm has been compromised,
+	  and its usage is considered harmful.
 	</p>
       </li>
 <li class="listitem">
 	<p>
-	  Add the ability to not return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned
-	  add 'answer-cookie no;' to named.conf. [GL #173]
-	</p>
-	<p>
-	  <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
-	  measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
-	  with other servers that do not yet support DNS COOKIE.  A mismatch
-	  between servers on the same address is not expected to cause
-	  operational problems, but the option to disable COOKIE responses so
-	  that all servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security mechanism,
-	  and should not be disabled unless absolutely necessary.
-	</p>
-	<p>
-	  Remove support for silently ignoring 'no-change' deltas from
-	  BIND 8 when processing an IXFR stream.  'no-change' deltas
-	  will now trigger a fallback to AXFR as the recovery mechanism.
-	</p>
-	<p>
-	  BIND 9 will no longer build on platforms that doesn't have
-	  proper IPv6 support.  BIND 9 now also requires non-broken
-	  POSIX-compatible pthread support.  Such platforms are
-	  usually long after their end-of-life date and they are
-	  neither developed nor supported by their respective vendors.
+	  Support for the ECC-GOST (GOST R 34.11-94) algorithm has been
+	  removed from BIND, as the algorithm has been superseded by
+	  GOST R 34.11-2012 in RFC6986 and it must not be used in new
+	  deployments.  BIND will neither create new DNSSEC keys,
+	  signatures and digests, nor it will validate them.
 	</p>
+      </li>
+<li class="listitem">
 	<p>
 	  Support for DSA and DSA-NSEC3-SHA1 algorithms has been
 	  removed from BIND as the DSA key length is limited to 1024
 	  bits and this is not considered secure enough.
 	</p>
+      </li>
+<li class="listitem">
 	<p>
-	  Support for RSAMD5 algorithm has been removed freom BIND as the usage
-	  of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
-	  the security of MD5 algorithm has been compromised and the its usage
-	  is considered harmful.
+	  <span class="command"><strong>named</strong></span> will no longer ignore "no-change" deltas
+	  when processing an IXFR stream.  This had previously been
+	  permitted for compatibility with BIND 8, but now "no-change"
+	  deltas will trigger a fallback to AXFR as the recovery mechanism.
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  BIND 9 will no longer build on platforms that don't have
+	  proper IPv6 support.  BIND 9 now also requires POSIX-compatible
+	  pthread support.  Most of the platforms that lack these featuers
+	  are long past their end-of-lifew dates, and they are neither
+	  developed nor supported by their respective vendors.
 	</p>
       </li>
 <li class="listitem">
@@ -516,7 +443,7 @@
 	<p>
 	  BIND will now always use the best CSPRNG (cryptographically-secure
 	  pseudo-random number generator) available on the platform where
-	  it is compiled.  It will use <span class="command"><strong>arc4random()</strong></span>
+	  it is compiled.  It will use the <span class="command"><strong>arc4random()</strong></span>
 	  family of functions on BSD operating systems,
 	  <span class="command"><strong>getrandom()</strong></span> on Linux and Solaris,
 	  <span class="command"><strong>CryptGenRandom</strong></span> on Windows, and the selected
@@ -647,64 +574,6 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-          Running <span class="command"><strong>rndc reconfig</strong></span> could cause
-          <span class="command"><strong>inline-signing</strong></span> zones to stop signing.
-	  [GL #439]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
-          Reloading all zones caused zone maintenance to stop for
-          <span class="command"><strong>inline-signing</strong></span> zones. [GL #435]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
-          Signatures loaded from the journal for the signed version
-          of an <span class="command"><strong>inline-signing</strong></span> zone were not scheduled
-	  for refresh. [GL #482]
-        </p>
-      </li>
-<li class="listitem">
-        <p>
-          A referral response with a non-empty ANSWER section was
-          incorrectly treated as an error; this caused certain domains
-          to be non-resolvable. [GL #390]
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  When a negative trust anchor was added to multiple views
-	  using <span class="command"><strong>rndc nta</strong></span>, the text returned via
-	  <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
-	  first line, making it appear that only one NTA had been
-	  added. This has been fixed. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The view name is now included in the output of
-	  <span class="command"><strong>rndc nta -dump</strong></span>, for consistency with
-	  other options. [GL !816]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
-	</p>
-      </li>
-</ul></div>
-  </div>
-
-  <div class="section">
-<div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
     <p>
       BIND is open source software licenced under the terms of the Mozilla
@@ -730,11 +599,6 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      BIND 9.13 is an unstable development branch. When its development
-      is complete, it will be renamed to BIND 9.14, which will be a
-      stable branch.
-    </p>
     <p>
       The end of life date for BIND 9.14 has not yet been determined.
       For those needing long term support, the current Extended Support
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 351ff0a2c4..d145973464 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 3415899e18..ece2c621dd 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,40 +1,35 @@
-Release Notes for BIND Version 9.13.7
+Release Notes for BIND Version 9.14.0rc1
 
 Introduction
 
-BIND 9.13 is an unstable development release of BIND. This document
-summarizes new features and functional changes that have been introduced
-on this branch. With each development release leading up to the stable
-BIND 9.14 release, this document will be updated with additional features
-added and bugs fixed.
+BIND 9.14.0 is the first release of a new stable branch of BIND. This
+document summarizes new features and functional changes that have been
+introduced, as well as features that have been deprecated or removed,
+since the last stable branch, 9.12.
+
+Please see the file CHANGES for a more detailed list of changes and bug
+fixes.
 
 Note on Version Numbering
 
-Prior to BIND 9.13, new feature development releases were tagged as
-"alpha" and "beta", leading up to the first stable release for a given
-development branch, which always ended in ".0".
-
-Now, however, BIND has adopted the "odd-unstable/even-stable" release
-numbering convention. There will be no "alpha" or "beta" releases in the
-9.13 branch, only increasing version numbers. So, for example, what would
-previously have been called 9.13.0a1, 9.13.0a2, 9.13.0b1, and so on, will
-instead be called 9.13.0, 9.13.1, 9.13.2, etc.
-
-The first stable release from this development branch will be renamed as
-9.14.0. Thereafter, maintenance releases will continue on the 9.14 branch,
-while unstable feature development proceeds in 9.15.
+As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+release numbering convention. BIND 9.14 contains new features added during
+the BIND 9.13 development process. Henceforth, the 9.14 branch will be
+limited to bug fixes and new feature development will proceed in the
+unstable 9.15 branch, and so forth.
 
 Supported Platforms
 
-BIND 9.13 has undergone substantial code refactoring and cleanup, and some
-very old code has been removed that was needed to support legacy platforms
-which are no longer supported by their vendors and for which ISC is no
-longer able to perform quality assurance testing. Specifically,
+Since 9.12, BIND has undergone substantial code refactoring and cleanup,
+and some very old code has been removed that was needed to support legacy
+platforms which are no longer supported by their vendors and for which ISC
+is no longer able to perform quality assurance testing. Specifically,
 workarounds for old versions of UnixWare, BSD/OS, AIX, Tru64, SunOS,
-TruCluster and IRIX have been removed. On UNIX-like systems, BIND now
-requires support for POSIX.1c threads (IEEE Std 1003.1c-1995), the
-Advanced Sockets API for IPv6 (RFC 3542), and standard atomic operations
-provided by the C compiler.
+TruCluster and IRIX have been removed.
+
+On UNIX-like systems, BIND now requires support for POSIX.1c threads (IEEE
+Std 1003.1c-1995), the Advanced Sockets API for IPv6 (RFC 3542), and
+standard atomic operations provided by the C compiler.
 
 More information can be found in the PLATFORM.md file that is included in
 the source distribution of BIND 9. If your platform compiler and system
@@ -43,7 +38,7 @@ that isn't the case, the BIND development team will generally accept
 patches that add support for systems that are still supported by their
 respective vendors.
 
-As of BIND 9.13, the BIND development team has also made cryptography
+As of BIND 9.14, the BIND development team has also made cryptography
 (i.e., TSIG and DNSSEC) an integral part of the DNS server. The OpenSSL
 cryptography library must be available for the target platform. A PKCS#11
 provider can be used instead for Public Key cryptography (i.e., DNSSEC
@@ -57,52 +52,6 @@ www.isc.org/downloads/. There you will find additional information about
 each release, source code, and pre-compiled versions for Microsoft Windows
 operating systems.
 
-Security Fixes
-
-  * There was a long-existing flaw in the documentation for ms-self,
-    krb5-self, ms-subdomain, and krb5-subdomain rules in update-policy
-    statements. Though the policies worked as intended, operators who
-    configured their servers according to the misleading documentation may
-    have thought zone updates were more restricted than they were; users
-    of these rule types are advised to review the documentation and
-    correct their configurations if necessary. New rule types matching the
-    previously documented behavior will be introduced in a future
-    maintenance release. [GL !708]
-
-  * When recursion is enabled but the allow-recursion and
-    allow-query-cache ACLs are not specified, they should be limited to
-    local networks, but they were inadvertently set to match the default
-    allow-query, thus allowing remote queries. This flaw is disclosed in
-    CVE-2018-5738. [GL #309]
-
-  * named could crash during recursive processing of DNAME records when
-    deny-answer-aliases was in use. This flaw is disclosed in
-    CVE-2018-5740. [GL #387]
-
-  * Code change #4964, intended to prevent double signatures when deleting
-    an inactive zone DNSKEY in some situations, introduced a new problem
-    during zone processing in which some delegation glue RRsets are
-    incorrectly identified as needing RRSIGs, which are then created for
-    them using the current active ZSK for the zone. In some, but not all
-    cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
-    chain, but incompletely -- this can result in a broken chain,
-    affecting validation of proof of nonexistence for records in the zone.
-    [GL #771]
-
-  * named could crash if it managed a DNSSEC security root with
-    managed-keys and the authoritative zone rolled the key to an algorithm
-    not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
-    #780]
-
-  * named leaked memory when processing a request with multiple Key Tag
-    EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
-    bringing this to our attention. This flaw is disclosed in
-    CVE-2018-5744. [GL #772]
-
-  * Zone transfer controls for writable DLZ zones were not effective as
-    the allowzonexfr method was not being called for such zones. This flaw
-    is disclosed in CVE-2019-6465. [GL #790]
-
 New Features
 
   * Task manager and socket code have been substantially modified. The
@@ -110,6 +59,20 @@ New Features
     event loops in CPU-affinitive threads. This greatly improves
     performance on large systems, especially when using multi-queue NICs.
 
+  * Support for QNAME minimization was added and enabled by default in
+    relaxed mode, in which BIND will fall back to normal resolution if the
+    remote server returns something unexpected during the query
+    minimization process. This default setting might change to strict in
+    the future.
+
+  * A new plugin mechanism has been added to allow extension of query
+    processing functionality through the use of external libraries. The
+    new filter-aaaa.so plugin replaces the filter-aaaa feature that was
+    formerly implemented as a native part of BIND.
+
+    The plugin API is a work in progress and is likely to evolve as
+    further plugins are implemented. [GL #15]
+
   * A new secondary zone option, mirror, enables named to serve a
     transferred copy of a zone's contents without acting as an authority
     for the zone. A zone must be fully validated against an active trust
@@ -119,14 +82,6 @@ New Features
     facilitate deployment of a local copy of the root zone, as described
     in RFC 7706. [GL #33]
 
-  * A new plugin mechanism has been added to allow extension of query
-    processing functionality through the use of external libraries. The
-    new filter-aaaa.so plugin replaces the filter-aaaa feature that was
-    formerly implemented as a native part of BIND.
-
-    The plugin API is a work in progress and is likely to evolve as
-    further plugins are implemented. [GL #15]
-
   * BIND now can be compiled against the libidn2 library to add IDNA2008
     support. Previously, BIND supported IDNA2003 using the (now obsolete
     and unsupported) idnkit-1 library.
@@ -140,12 +95,6 @@ New Features
   * The dnskey-sig-validity option allows the sig-validity-interval to be
     overriden for signatures covering DNSKEY RRsets. [GL #145]
 
-  * Support for QNAME minimization was added and enabled by default in
-    relaxed mode, in which BIND will fall back to normal resolution if the
-    remote server returns something unexpected during the query
-    minimization process. This default setting might change to strict in
-    the future.
-
   * When built on Linux, BIND now requires the libcap library to set
     process privileges. The adds a new compile-time dependency, which can
     be met on most Linux platforms by installing the libcap-dev or
@@ -178,6 +127,17 @@ New Features
   * rndc status output now includes a reconfig/reload in progress status
     line if named configuration is being reloaded.
 
+  * The new answer-cookie option, if set to no, prevents named from
+    returning a DNS COOKIE option to a client, even if such an option was
+    present in the request. This is only intended as a temporary measure,
+    for use when named shares an IP address with other servers that do not
+    yet support DNS COOKIE. A mismatch between servers on the same address
+    is not expected to cause operational problems, but the option to
+    disable COOKIE responses so that all servers have the same behavior is
+    provided out of an abundance of caution. DNS COOKIE is an important
+    security mechanism, and this option should not be used to disable it
+    unless absolutely necessary.
+
 Removed Features
 
   * Workarounds for servers that misbehave when queried with EDNS have
@@ -257,43 +217,31 @@ Removed Features
     The -p option to use pseudo-random data has been removed from the
     dnssec-signzone command.
 
-  * Support for ECC-GOST (GOST R 34.11-94) algorithm has been removed from
-    BIND as the algorithm has been superseded by GOST R 34.11-2012 in
-    RFC6986 and it must not be used in new deployments. BIND will neither
-    create new DNSSEC keys, signatures and digest, nor it will validate
-    them.
+  * Support for the RSAMD5 algorithm has been removed freom BIND as the
+    usage of the RSAMD5 algorithm for DNSSEC has been deprecated in
+    RFC6725, the security of the MD5 algorithm has been compromised, and
+    its usage is considered harmful.
 
-  * Add the ability to not return a DNS COOKIE option when one is present
-    in the request. To prevent a cookie being returned add 'answer-cookie
-    no;' to named.conf. [GL #173]
+  * Support for the ECC-GOST (GOST R 34.11-94) algorithm has been removed
+    from BIND, as the algorithm has been superseded by GOST R 34.11-2012
+    in RFC6986 and it must not be used in new deployments. BIND will
+    neither create new DNSSEC keys, signatures and digests, nor it will
+    validate them.
 
-    answer-cookie is only intended as a temporary measure, for use when
-    named shares an IP address with other servers that do not yet support
-    DNS COOKIE. A mismatch between servers on the same address is not
-    expected to cause operational problems, but the option to disable
-    COOKIE responses so that all servers have the same behavior is
-    provided out of an abundance of caution. DNS COOKIE is an important
-    security mechanism, and should not be disabled unless absolutely
-    necessary.
-
-    Remove support for silently ignoring 'no-change' deltas from BIND 8
-    when processing an IXFR stream. 'no-change' deltas will now trigger a
-    fallback to AXFR as the recovery mechanism.
-
-    BIND 9 will no longer build on platforms that doesn't have proper IPv6
-    support. BIND 9 now also requires non-broken POSIX-compatible pthread
-    support. Such platforms are usually long after their end-of-life date
-    and they are neither developed nor supported by their respective
-    vendors.
-
-    Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
+  * Support for DSA and DSA-NSEC3-SHA1 algorithms has been removed from
     BIND as the DSA key length is limited to 1024 bits and this is not
     considered secure enough.
 
-    Support for RSAMD5 algorithm has been removed freom BIND as the usage
-    of the RSAMD5 algorithm for DNSSEC has been deprecated in RFC6725 and
-    the security of MD5 algorithm has been compromised and the its usage
-    is considered harmful.
+  * named will no longer ignore "no-change" deltas when processing an IXFR
+    stream. This had previously been permitted for compatibility with BIND
+    8, but now "no-change" deltas will trigger a fallback to AXFR as the
+    recovery mechanism.
+
+  * BIND 9 will no longer build on platforms that don't have proper IPv6
+    support. BIND 9 now also requires POSIX-compatible pthread support.
+    Most of the platforms that lack these featuers are long past their
+    end-of-lifew dates, and they are neither developed nor supported by
+    their respective vendors.
 
   * The incomplete support for internationalization message catalogs has
     been removed from BIND. Since the internationalization was never
@@ -306,7 +254,7 @@ Feature Changes
 
   * BIND will now always use the best CSPRNG (cryptographically-secure
     pseudo-random number generator) available on the platform where it is
-    compiled. It will use arc4random() family of functions on BSD
+    compiled. It will use the arc4random() family of functions on BSD
     operating systems, getrandom() on Linux and Solaris, CryptGenRandom on
     Windows, and the selected cryptography provider library (OpenSSL or
     PKCS#11) as the last resort. [GL #221]
@@ -369,33 +317,6 @@ Feature Changes
   * Zone signing and key maintenance events are now logged to the dnssec
     category rather than zone.
 
-Bug Fixes
-
-  * Running rndc reconfig could cause inline-signing zones to stop
-    signing. [GL #439]
-
-  * Reloading all zones caused zone maintenance to stop for inline-signing
-    zones. [GL #435]
-
-  * Signatures loaded from the journal for the signed version of an
-    inline-signing zone were not scheduled for refresh. [GL #482]
-
-  * A referral response with a non-empty ANSWER section was incorrectly
-    treated as an error; this caused certain domains to be non-resolvable.
-    [GL #390]
-
-  * When a negative trust anchor was added to multiple views using rndc
-    nta, the text returned via rndc was incorrectly truncated after the
-    first line, making it appear that only one NTA had been added. This
-    has been fixed. [GL #105]
-
-  * The view name is now included in the output of rndc nta -dump, for
-    consistency with other options. [GL !816]
-
-  * named now rejects excessively large incremental (IXFR) zone transfers
-    in order to prevent possible corruption of journal files which could
-    cause named to abort when loading zones. [GL #339]
-
 License
 
 BIND is open source software licenced under the terms of the Mozilla
@@ -413,9 +334,6 @@ www.isc.org/mission/contact/.
 
 End of Life
 
-BIND 9.13 is an unstable development branch. When its development is
-complete, it will be renamed to BIND 9.14, which will be a stable branch.
-
 The end of life date for BIND 9.14 has not yet been determined. For those
 needing long term support, the current Extended Support Version (ESV) is
 BIND 9.11, which will be supported until at least December 2021. See