diff --git a/CHANGES b/CHANGES
index 8284bdbd74..01592c62b7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,16 +1,16 @@
 5485.	[placeholder]
 
-5484.	[func]		Expire the 0 TTL RRSet quickly rather using them for
-			stale answers. [GL #1829]
+5484.	[func]		Expire zero TTL records quickly rather than using them
+			for stale answers. [GL #1829]
 
 5483.	[func]		Keeping "stale" answers in cache has been disabled by
 			default and can be re-enabled with a new configuration
 			option "stale-cache-enable". [GL #1712]
 
-5482.	[bug]		BIND 9 would fail to bind to IPv6 addresses in a
-			tentative state when a new IPv6 address was added to the
-			system, but the Duplicate Address Detection (DAD)
-			mechanism had not yet finished. [GL #2038]
+5482.	[bug]		If the Duplicate Address Detection (DAD) mechanism had
+			not yet finished after adding a new IPv6 address to the
+			system, BIND 9 would fail to bind to IPv6 addresses in a
+			tentative state. [GL #2038]
 
 5481.	[security]	"update-policy" rules of type "subdomain" were
 			incorrectly treated as "zonesub" rules, which allowed
@@ -33,53 +33,57 @@
 			sending a specially crafted large TCP DNS message.
 			(CVE-2020-8620) [GL #1996]
 
-5477.	[bug]		The idle timeout for connected TCP sockets is now
-			derived from the client query processing timeout
-			configured for a resolver. [GL #2024]
+5477.	[bug]		The idle timeout for connected TCP sockets, which was
+			previously set to a high fixed value, is now derived
+			from the client query processing timeout configured for
+			a resolver. [GL #2024]
 
 5476.	[security]	It was possible to trigger an assertion failure when
 			verifying the response to a TSIG-signed request.
 			(CVE-2020-8622) [GL #2028]
 
-5475.	[bug]		Fix RPZ wildcard passthru ignored when a rejection
-			would overwrite a passthru action matching some
-			rule in a previously loaded passthru rpz zone.
-			[GL #1619]
+5475.	[bug]		Wildcard RPZ passthru rules could incorrectly be
+			overridden by other rules that were loaded from RPZ
+			zones which appeared later in the "response-policy"
+			statement. This has been fixed. [GL #1619]
 
 5474.	[bug]		dns_rdata_hip_next() failed to return ISC_R_NOMORE
 			when it should have. [GL !3880]
 
-5473.	[func]		The rbt hashtable implementation has been changed
-			to use faster hash-function (HalfSipHash2-4) and
-			uses Fibonacci hashing for better distribution.
-			Setting the max-cache-size now preallocates fixed
-			size hashtable, so the rehashing doesn't cause
-			resolution brownouts when growing the hashtable.
-			[GL #1775]
+5473.	[func]		The RBT hash table implementation has been changed
+			to use a faster hash function (HalfSipHash2-4) and
+			Fibonacci hashing for better distribution. Setting
+			"max-cache-size" now preallocates a fixed-size hash
+			table so that rehashing does not cause resolution
+			brownouts while the hash table is grown. [GL #1775]
 
 5472.	[func]		The statistics channel has been updated to use the
 			new network manager. [GL #2022]
 
-5471.	[bug]		The introduction of KASP support broke whether the
-			second field of sig-validity-interval was treated as
-			days or hours. (Thanks to Tony Finch.) [GL !3735]
+5471.	[bug]		The introduction of KASP support inadvertently caused
+			the second field of "sig-validity-interval" to always be
+			calculated in hours, even in cases when it should have
+			been calculated in days. This has been fixed. (Thanks to
+			Tony Finch.) [GL !3735]
 
-5470.	[port]		illumos: only call gsskrb5_register_acceptor_identity
-			if we have gssapi_krb5.h. [GL #1995]
+5470.	[port]		gsskrb5_register_acceptor_identity() is now only called
+			if gssapi_krb5.h is present. [GL #1995]
 
-5469.	[port]		illumos: SEC is defined in <sys/time.h> which
-			conflicted with our use of SEC. [GL #1993]
+5469.	[port]		On illumos, a constant called SEC is already defined in
+			<sys/time.h>, which conflicts with an identically named
+			constant in libbind9. This conflict has been resolved.
+			[GL #1993]
 
-5468.	[bug]		Address potential double unlock in process_fd().
+5468.	[bug]		Addressed potential double unlock in process_fd().
 			[GL #2005]
 
 5467.	[func]		The control channel and the rndc utility have been
 			updated to use the new network manager. To support
 			this, the network manager was updated to enable
-			wthe initiation of client TCP connections. Its
+			the initiation of client TCP connections. Its
 			internal reference counting has been refactored.
 
-			Note: As side effects of this change, rndc cannot
+			Note: As a side effect of this change, rndc cannot
 			currently be used with UNIX-domain sockets, and its
 			default timeout has changed from 60 seconds to 30.
 			These will be addressed in a future release.
@@ -88,30 +92,30 @@
 5466.	[bug]		Addressed an error in recursive clients stats reporting.
 			[GL #1719]
 
-5465.	[func]		Fallback to built in trust-anchors, managed-keys, or
-			trusted-keys if the bindkeys-file (bind.keys) cannot
+5465.	[func]		Added fallback to built-in trust-anchors, managed-keys,
+			or trusted-keys if the bindkeys-file (bind.keys) cannot
 			be parsed. [GL #1235]
 
-5464.	[bug]		Specifying saving more than 128 files when rolling
-			dnstap / log files would cause buffer overflow.
-			[GL #1989]
+5464.	[bug]		Requesting more than 128 files to be saved when rolling
+			dnstap log files caused a buffer overflow. This has been
+			fixed. [GL #1989]
 
 5463.	[placeholder]
 
 5462.	[bug]		Move LMDB locking from LMDB itself to named. [GL #1976]
 
-5461.	[bug]		The header STALE attribute was not being updated with
-			the write lock being held leading to incorrect
-			statistics.  Convert the header attributes to use atomic
-			operations. [GL #1475]
+5461.	[bug]		The STALE rdataset header attribute was updated while
+			the write lock was not being held, leading to incorrect
+			statistics. The header attributes are now converted to
+			use atomic operations. [GL #1475]
 
 5460.	[cleanup]	tsig-keygen was previously an alias for
 			ddns-confgen and was documented in the ddns-confgen
 			man page. This has been reversed; tsig-keygen is
 			now the primary name. [GL #1998]
 
-5459.	[bug]		Bad isc_mem_put() size when an invalid type was
-			specified in a update-policy rule. [GL #1990]
+5459.	[bug]		Fixed bad isc_mem_put() size when an invalid type was
+			specified in an "update-policy" rule. [GL #1990]
 
 	--- 9.17.3 released ---
 
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 16a8227d75..334d021820 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -52,7 +52,7 @@ https://www.isc.org/download/. There you will find additional
 information about each release, source code, and pre-compiled versions
 for Microsoft Windows operating systems.
 
-.. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.17.4.rst
 .. include:: ../notes/notes-9.17.3.rst
 .. include:: ../notes/notes-9.17.2.rst
 .. include:: ../notes/notes-9.17.1.rst
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-9.17.4.rst
similarity index 57%
rename from doc/notes/notes-current.rst
rename to doc/notes/notes-9.17.4.rst
index f7b490b80e..0571babf09 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-9.17.4.rst
@@ -53,14 +53,12 @@ Security Fixes
   ISC would like to thank Joop Boonen of credativ GmbH for bringing this
   vulnerability to our attention. [GL #2055]
 
-Known Issues
-~~~~~~~~~~~~
-
-- None.
-
 New Features
 ~~~~~~~~~~~~
 
+- A new configuration option ``stale-cache-enable`` has been introduced
+  to enable or disable keeping stale answers in cache. [GL #1712]
+
 - ``rndc`` has been updated to use the new BIND network manager API.
   This change had the side effect of altering the TCP timeout for RNDC
   connections from 60 seconds to the ``tcp-idle-timeout`` value, which
@@ -73,44 +71,57 @@ New Features
 - Statistics channels have also been updated to use the new BIND network
   manager API. [GL #2022]
 
-- A new configuration option ``stale-cache-enable`` has been introduced to
-  enable or disable the keeping of stale answers in cache. [GL #1712]
-
 Feature Changes
 ~~~~~~~~~~~~~~~
 
 - BIND's cache database implementation has been updated to use a faster
-  hash-function with better distribution.  In addition, the effective
-  max-cache-size (configured explicitly, defaulting to a value based on system
-  memory or set to 'unlimited') now pre-allocates fixed size hash tables. This
-  prevents interruption to query resolution when the hash tables need to be
-  increased in size. [GL #1775]
+  hash function with better distribution. In addition, the effective
+  ``max-cache-size`` (configured explicitly, defaulting to a value based
+  on system memory or set to ``unlimited``) now pre-allocates fixed-size
+  hash tables. This prevents interruption to query resolution when the
+  hash table sizes need to be increased. [GL #1775]
 
 - Keeping stale answers in cache has been disabled by default.
+  [GL #1712]
 
-- The resource records received with 0 TTL are no longer kept in the cache
+- Resource records received with 0 TTL are no longer kept in the cache
   to be used for stale answers. [GL #1829]
 
 Bug Fixes
 ~~~~~~~~~
 
-- Addressed an error in recursive clients stats reporting.
-  There were occasions when an incoming query could trigger a prefetch for
-  some eligible rrset, and if the prefetch code were executed before recursion,
-  no increment in recursive clients stats would take place. Conversely,
-  when processing the answers, if the recursion code were executed before the
-  prefetch, the same counter would be decremented without a matching increment.
-  [GL #1719]
+- Wildcard RPZ passthru rules could incorrectly be overridden by other
+  rules that were loaded from RPZ zones which appeared later in the
+  ``response-policy`` statement. This has been fixed. [GL #1619]
 
-- The introduction of KASP support broke whether the second field
-  of sig-validity-interval was treated as days or hours. (Thanks to
-  Tony Finch.) [GL !3735]
+- The IPv6 Duplicate Address Detection (DAD) mechanism could
+  inadvertently prevent ``named`` from binding to new IPv6 interfaces,
+  by causing multiple route socket messages to be sent for each IPv6
+  address. ``named`` monitors for new interfaces to ``bind()`` to when
+  it is configured to listen on ``any`` or on a specific range of
+  addresses. New IPv6 interfaces can be in a "tentative" state before
+  they are fully available for use. When DAD is in use, two messages are
+  emitted by the route socket: one when the interface first appears and
+  then a second one when it is fully "up." An attempt by ``named`` to
+  ``bind()`` to the new interface prematurely would fail, causing it
+  thereafter to ignore that address/interface. The problem was worked
+  around by setting the ``IP_FREEBIND`` option on the socket and trying
+  to ``bind()`` to each IPv6 address again if the first ``bind()`` call
+  for that address failed with ``EADDRNOTAVAIL``. [GL #2038]
 
-- The IPv6 Duplicate Address Detection (DAD) mechanism could cause the operating
-  system to report the new IPv6 addresses to the applications via the
-  getifaddrs() API in a tentative (DAD not yet finished) or duplicate (DAD
-  failed) state. Such addresses cannot be bound by an application, and named
-  failed to listen on IPv6 addresses after the DAD mechanism finished. It is
-  possible to work around the issue by setting the IP_FREEBIND option on the
-  socket and trying to bind() to the IPv6 address again if the first bind() call
-  fails with EADDRNOTAVAIL. [GL #2038]
+- Addressed an error in recursive clients stats reporting which could
+  cause underflow, and even negative statistics. There were occasions
+  when an incoming query could trigger a prefetch for some eligible
+  RRset, and if the prefetch code were executed before recursion, no
+  increment in recursive clients stats would take place. Conversely,
+  when processing the answers, if the recursion code were executed
+  before the prefetch, the same counter would be decremented without a
+  matching increment. [GL #1719]
+
+- The introduction of KASP support inadvertently caused the second field
+  of ``sig-validity-interval`` to always be calculated in hours, even in
+  cases when it should have been calculated in days. This has been
+  fixed. (Thanks to Tony Finch.) [GL !3735]
+
+- LMDB locking code was revised to make ``rndc reconfig`` work properly
+  on FreeBSD and with LMDB >= 0.9.26. [GL #1976]
diff --git a/util/copyrights b/util/copyrights
index d50730d93e..4236cbfc8a 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1231,7 +1231,7 @@
 ./doc/notes/notes-9.17.1.rst			RST	2020
 ./doc/notes/notes-9.17.2.rst			RST	2020
 ./doc/notes/notes-9.17.3.rst			RST	2020
-./doc/notes/notes-current.rst			RST	2020
+./doc/notes/notes-9.17.4.rst			RST	2020
 ./docutil/HTML_COPYRIGHT			X	2001,2004,2016,2018,2019,2020
 ./docutil/MAN_COPYRIGHT				X	2001,2004,2016,2018,2019,2020
 ./docutil/patch-db2latex-duplicate-template-bug	X	2007,2018,2019,2020