diff --git a/CHANGES b/CHANGES
index d87f41f148..09b101ea5e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,11 +1,13 @@
+	--- 9.13.2 released ---
+
 4987.	[cleanup]	dns_rdataslab_tordataset() and its related
 			dns_rdatasetmethods_t callbacks were removed as they
 			were not being used by anything in BIND. [GL #371]
 
-4986.	[func]		When built on Linux, BIND now requires the libcap library
-			to set process privileges, unless capability support is
-			explicitly overridden with "configure --disable-linux-caps".
-			[GL #321]
+4986.	[func]		When built on Linux, BIND now requires the libcap
+			library to set process privileges, unless capability
+			support is explicitly overridden with "configure
+			--disable-linux-caps". [GL #321]
 
 4985.	[func]		Add a new slave zone option, "mirror", to enable
 			serving a non-authoritative copy of a zone that
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index 993fcc0427..0f8b3ac196 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2018-01-22
+.\"      Date: 2018-05-29
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2018\-01\-22" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2018\-05\-29" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -212,7 +212,7 @@ options {
 	    \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
 	    port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
 	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
-	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
 	check\-dup\-records ( fail | warn | ignore );
 	check\-integrity \fIboolean\fR;
 	check\-mx ( fail | warn | ignore );
@@ -251,6 +251,7 @@ options {
 	};
 	dns64\-contact \fIstring\fR;
 	dns64\-server \fIstring\fR;
+	dnskey\-sig\-validity \fIinteger\fR;
 	dnsrps\-enable \fIboolean\fR;
 	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
@@ -299,14 +300,13 @@ options {
 	fstrm\-set\-output\-notify\-threshold \fIinteger\fR;
 	fstrm\-set\-output\-queue\-model ( mpsc | spsc );
 	fstrm\-set\-output\-queue\-size \fIinteger\fR;
-	fstrm\-set\-reopen\-interval \fIinteger\fR;
+	fstrm\-set\-reopen\-interval \fIttlval\fR;
 	geoip\-directory ( \fIquoted_string\fR | none );
-	geoip\-use\-ecs \fIboolean\fR;
 	glue\-cache \fIboolean\fR;
 	heartbeat\-interval \fIinteger\fR;
 	hostname ( \fIquoted_string\fR | none );
 	inline\-signing \fIboolean\fR;
-	interface\-interval \fIinteger\fR;
+	interface\-interval \fIttlval\fR;
 	ixfr\-from\-differences ( primary | master | secondary | slave |
 	    \fIboolean\fR );
 	keep\-response\-order { \fIaddress_match_element\fR; \&.\&.\&. };
@@ -325,10 +325,10 @@ options {
 	masterfile\-style ( full | relative );
 	match\-mapped\-addresses \fIboolean\fR;
 	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
-	max\-cache\-ttl \fIinteger\fR;
+	max\-cache\-ttl \fIttlval\fR;
 	max\-clients\-per\-query \fIinteger\fR;
 	max\-journal\-size ( default | unlimited | \fIsizeval\fR );
-	max\-ncache\-ttl \fIinteger\fR;
+	max\-ncache\-ttl \fIttlval\fR;
 	max\-records \fIinteger\fR;
 	max\-recursion\-depth \fIinteger\fR;
 	max\-recursion\-queries \fIinteger\fR;
@@ -369,6 +369,7 @@ options {
 	preferred\-glue \fIstring\fR;
 	prefetch \fIinteger\fR [ \fIinteger\fR ];
 	provide\-ixfr \fIboolean\fR;
+	qname\-minimization ( strict | relaxed | disabled );
 	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
 	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
 	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
@@ -408,18 +409,19 @@ options {
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
 	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
-	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
 	    policy ( cname | disabled | drop | given | no\-op | nodata |
 	    nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
-	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
 	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
 	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [
 	    nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [
 	    dnsrps\-enable \fIboolean\fR ] [ dnsrps\-options { \fIunspecified\-text\fR
 	    } ];
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	root\-key\-sentinel \fIboolean\fR;
 	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
 	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
 	secroots\-file \fIquoted_string\fR;
@@ -580,7 +582,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	    \fIinteger\fR ] [ dscp \fIinteger\fR ] { ( \fImasters\fR | \fIipv4_address\fR [
 	    port \fIinteger\fR ] | \fIipv6_address\fR [ port \fIinteger\fR ] ) [ key
 	    \fIstring\fR ]; \&.\&.\&. } ] [ zone\-directory \fIquoted_string\fR ] [
-	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIinteger\fR ]; \&.\&.\&. };
+	    in\-memory \fIboolean\fR ] [ min\-update\-interval \fIttlval\fR ]; \&.\&.\&. };
 	check\-dup\-records ( fail | warn | ignore );
 	check\-integrity \fIboolean\fR;
 	check\-mx ( fail | warn | ignore );
@@ -618,6 +620,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	};
 	dns64\-contact \fIstring\fR;
 	dns64\-server \fIstring\fR;
+	dnskey\-sig\-validity \fIinteger\fR;
 	dnsrps\-enable \fIboolean\fR;
 	dnsrps\-options { \fIunspecified\-text\fR };
 	dnssec\-accept\-expired \fIboolean\fR;
@@ -671,10 +674,10 @@ view \fIstring\fR [ \fIclass\fR ] {
 	match\-destinations { \fIaddress_match_element\fR; \&.\&.\&. };
 	match\-recursive\-only \fIboolean\fR;
 	max\-cache\-size ( default | unlimited | \fIsizeval\fR | \fIpercentage\fR );
-	max\-cache\-ttl \fIinteger\fR;
+	max\-cache\-ttl \fIttlval\fR;
 	max\-clients\-per\-query \fIinteger\fR;
 	max\-journal\-size ( default | unlimited | \fIsizeval\fR );
-	max\-ncache\-ttl \fIinteger\fR;
+	max\-ncache\-ttl \fIttlval\fR;
 	max\-records \fIinteger\fR;
 	max\-recursion\-depth \fIinteger\fR;
 	max\-recursion\-queries \fIinteger\fR;
@@ -709,6 +712,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	preferred\-glue \fIstring\fR;
 	prefetch \fIinteger\fR [ \fIinteger\fR ];
 	provide\-ixfr \fIboolean\fR;
+	qname\-minimization ( strict | relaxed | disabled );
 	query\-source ( ( [ address ] ( \fIipv4_address\fR | * ) [ port (
 	    \fIinteger\fR | * ) ] ) | ( [ [ address ] ( \fIipv4_address\fR | * ) ]
 	    port ( \fIinteger\fR | * ) ) ) [ dscp \fIinteger\fR ];
@@ -743,18 +747,19 @@ view \fIstring\fR [ \fIclass\fR ] {
 	response\-padding { \fIaddress_match_element\fR; \&.\&.\&. } block\-size
 	    \fIinteger\fR;
 	response\-policy { zone \fIquoted_string\fR [ log \fIboolean\fR ] [
-	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
 	    policy ( cname | disabled | drop | given | no\-op | nodata |
 	    nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ break\-dnssec \fIboolean\fR ] [
-	    max\-policy\-ttl \fIinteger\fR ] [ min\-update\-interval \fIinteger\fR ] [
+	    max\-policy\-ttl \fIttlval\fR ] [ min\-update\-interval \fIttlval\fR ] [
 	    min\-ns\-dots \fIinteger\fR ] [ nsip\-wait\-recurse \fIboolean\fR ] [
 	    qname\-wait\-recurse \fIboolean\fR ] [ recursive\-only \fIboolean\fR ] [
 	    nsip\-enable \fIboolean\fR ] [ nsdname\-enable \fIboolean\fR ] [
 	    dnsrps\-enable \fIboolean\fR ] [ dnsrps\-options { \fIunspecified\-text\fR
 	    } ];
 	root\-delegation\-only [ exclude { \fIquoted_string\fR; \&.\&.\&. } ];
+	root\-key\-sentinel \fIboolean\fR;
 	rrset\-order { [ class \fIstring\fR ] [ type \fIstring\fR ] [ name
 	    \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; \&.\&.\&. };
 	send\-cookie \fIboolean\fR;
@@ -847,6 +852,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 		dialup ( notify | notify\-passive | passive | refresh |
 		    \fIboolean\fR );
 		dlz \fIstring\fR;
+		dnskey\-sig\-validity \fIinteger\fR;
 		dnssec\-dnskey\-kskonly \fIboolean\fR;
 		dnssec\-loadkeys\-interval \fIinteger\fR;
 		dnssec\-secure\-to\-insecure \fIboolean\fR;
@@ -878,6 +884,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 		max\-zone\-ttl ( unlimited | \fIttlval\fR );
 		min\-refresh\-time \fIinteger\fR;
 		min\-retry\-time \fIinteger\fR;
+		mirror \fIboolean\fR;
 		multi\-master \fIboolean\fR;
 		notify ( explicit | master\-only | \fIboolean\fR );
 		notify\-delay \fIinteger\fR;
@@ -957,6 +964,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
 	delegation\-only \fIboolean\fR;
 	dialup ( notify | notify\-passive | passive | refresh | \fIboolean\fR );
 	dlz \fIstring\fR;
+	dnskey\-sig\-validity \fIinteger\fR;
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
@@ -986,6 +994,7 @@ zone \fIstring\fR [ \fIclass\fR ] {
 	max\-zone\-ttl ( unlimited | \fIttlval\fR );
 	min\-refresh\-time \fIinteger\fR;
 	min\-retry\-time \fIinteger\fR;
+	mirror \fIboolean\fR;
 	multi\-master \fIboolean\fR;
 	notify ( explicit | master\-only | \fIboolean\fR );
 	notify\-delay \fIinteger\fR;
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index ce280a92fc..1184de56fd 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -193,7 +193,7 @@ options
 	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
 	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
 	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
@@ -232,6 +232,7 @@ options
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
@@ -280,14 +281,13 @@ options
 	fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-output-queue-model ( mpsc | spsc );<br>
 	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
-	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
 	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	geoip-use-ecs <em class="replaceable"><code>boolean</code></em>;<br>
 	glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
 	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
 	ixfr-from-differences ( primary | master | secondary | slave |<br>
 	    <em class="replaceable"><code>boolean</code></em> );<br>
 	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -306,10 +306,10 @@ options
 	masterfile-style ( full | relative );<br>
 	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
@@ -350,6 +350,7 @@ options
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
 	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	qname-minimization ( strict | relaxed | disabled );<br>
 	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
 	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
 	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
@@ -389,18 +390,19 @@ options
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
 	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
 	    } ];<br>
 	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
 	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
 	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
@@ -549,7 +551,7 @@ view
 	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
 	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
 	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
@@ -587,6 +589,7 @@ view
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
@@ -640,10 +643,10 @@ view
 	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
@@ -678,6 +681,7 @@ view
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
 	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	qname-minimization ( strict | relaxed | disabled );<br>
 	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
 	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
 	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
@@ -712,18 +716,19 @@ view
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
 	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
 	    } ];<br>
 	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
 	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
 	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
@@ -816,6 +821,7 @@ view
 		dialup ( notify | notify-passive | passive | refresh |<br>
 		    <em class="replaceable"><code>boolean</code></em> );<br>
 		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@@ -847,6 +853,7 @@ view
 		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		mirror <em class="replaceable"><code>boolean</code></em>;<br>
 		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
@@ -923,6 +930,7 @@ zone
 	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
 	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	dlz <em class="replaceable"><code>string</code></em>;<br>
+	dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@@ -952,6 +960,7 @@ zone
 	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	mirror <em class="replaceable"><code>boolean</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index d3bcf3cd74..68b02ecf99 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 883fc13377..7862592500 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index c361dfc543..c78f599122 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -759,6 +759,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 0b1f380f34..5d77aa762b 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2875,6 +2875,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 2cb056a868..d92048b94e 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -2396,7 +2396,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [
 	    <span class="command"><strong>port</strong></span> <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key
 	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [
-	    <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };
+	    <span class="command"><strong>in-memory</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };
 	<span class="command"><strong>check-dup-records</strong></span> ( fail | warn | ignore );
 	<span class="command"><strong>check-integrity</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>check-mx</strong></span> ( fail | warn | ignore );
@@ -2435,6 +2435,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	};
 	<span class="command"><strong>dns64-contact</strong></span> <em class="replaceable"><code>string</code></em>;
 	<span class="command"><strong>dns64-server</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnsrps-options</strong></span> { <em class="replaceable"><code>unspecified-text</code></em> };
 	<span class="command"><strong>dnssec-accept-expired</strong></span> <em class="replaceable"><code>boolean</code></em>;
@@ -2483,14 +2484,13 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>fstrm-set-output-notify-threshold</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>fstrm-set-output-queue-model</strong></span> ( mpsc | spsc );
 	<span class="command"><strong>fstrm-set-output-queue-size</strong></span> <em class="replaceable"><code>integer</code></em>;
-	<span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>fstrm-set-reopen-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
 	<span class="command"><strong>geoip-directory</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
-	<span class="command"><strong>geoip-use-ecs</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>glue-cache</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>heartbeat-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>hostname</strong></span> ( <em class="replaceable"><code>quoted_string</code></em> | none );
 	<span class="command"><strong>inline-signing</strong></span> <em class="replaceable"><code>boolean</code></em>;
-	<span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>interface-interval</strong></span> <em class="replaceable"><code>ttlval</code></em>;
 	<span class="command"><strong>ixfr-from-differences</strong></span> ( primary | master | secondary | slave |
 	    <em class="replaceable"><code>boolean</code></em> );
 	<span class="command"><strong>keep-response-order</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
@@ -2509,10 +2509,10 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>masterfile-style</strong></span> ( full | relative );
 	<span class="command"><strong>match-mapped-addresses</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>max-cache-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );
-	<span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-cache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
 	<span class="command"><strong>max-clients-per-query</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
-	<span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>max-ncache-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em>;
 	<span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>max-recursion-depth</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>max-recursion-queries</strong></span> <em class="replaceable"><code>integer</code></em>;
@@ -2533,6 +2533,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>minimal-responses</strong></span> ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );
+	<span class="command"><strong>mirror</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
 	<span class="command"><strong>no-case-compress</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
@@ -2553,6 +2554,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>preferred-glue</strong></span> <em class="replaceable"><code>string</code></em>;
 	<span class="command"><strong>prefetch</strong></span> <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];
 	<span class="command"><strong>provide-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+	<span class="command"><strong>qname-minimization</strong></span> ( strict | relaxed | disabled );
 	<span class="command"><strong>query-source</strong></span> ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (
 	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]
 	    <span class="command"><strong>port</strong></span> ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];
@@ -2592,18 +2594,19 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 	<span class="command"><strong>response-padding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size
 	    <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>response-policy</strong></span> { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [
-	    <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+	    <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [
 	    <span class="command"><strong>policy</strong></span> ( cname | disabled | drop | given | no-op | nodata |
 	    <span class="command"><strong>nxdomain</strong></span> | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [
 	    <span class="command"><strong>recursive-only</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>nsdname-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [
-	    <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [
+	    <span class="command"><strong>max-policy-ttl</strong></span> <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [
 	    <span class="command"><strong>min-ns-dots</strong></span> <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>qname-wait-recurse</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>nsip-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [
 	    <span class="command"><strong>dnsrps-enable</strong></span> <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em>
 	    } ];
 	<span class="command"><strong>root-delegation-only</strong></span> [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];
+	<span class="command"><strong>root-key-sentinel</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>rrset-order</strong></span> { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name
 	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };
 	<span class="command"><strong>secroots-file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
@@ -3085,6 +3088,23 @@ badresp:1,adberr:0,findfail:0,valfail:0]
                 its functionality is built into the name server.
               </p>
             </dd>
+<dt><span class="term"><span class="command"><strong>qname-minimization</strong></span></span></dt>
+<dd>
+              <p>
+                This option controls QNAME minimization behaviour
+                in the BIND resolver. When set to <span class="command"><strong>strict</strong></span>,
+                BIND will follow the QNAME minimization algorithm to
+                the letter, as specified in RFC 7816. Setting this
+                option to <span class="command"><strong>relaxed</strong></span> will cause BIND
+                to fall back to normal (non-minimized) query mode
+                when it receives either NXDOMAIN or other unexpected
+                responses (e.g. SERVFAIL, improper zone cut, REFUSED)
+                to a minimized query. <span class="command"><strong>disabled</strong></span> disables
+                QNAME minimization completely. The current default is
+                <span class="command"><strong>relaxed</strong></span>, but it might be changed to
+                <span class="command"><strong>strict</strong></span> in a future release.
+              </p>
+            </dd>
 <dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
 <dd>
               <p>
@@ -4333,10 +4353,23 @@ options {
 <dt><span class="term"><span class="command"><strong>answer-cookie</strong></span></span></dt>
 <dd>
                 <p>
-                  <span class="emphasis"><em>This option is obsolete</em></span>.
-                  This option was used to prevent the sending of
-                  a DNS COOKIE option in response to a request with
-                  one present in BIND 9.11 and BIND 9.12.
+                  When set to the default value of <strong class="userinput"><code>yes</code></strong>,
+                  COOKIE EDNS options will be sent when applicable in
+                  replies to client queries. If set to
+                  <strong class="userinput"><code>no</code></strong>, COOKIE EDNS options will not
+                  be sent in replies.  This can only be set at the global
+                  options level, not per-view.
+                </p>
+                <p>
+                  <span class="command"><strong>answer-cookie no</strong></span> is intended as a
+                  temporary measure, for use when <span class="command"><strong>named</strong></span>
+                  shares an IP address with other servers that do not yet
+                  support DNS COOKIE.  A mismatch between servers on the same
+                  address is not expected to cause operational problems, but
+                  the option to disable COOKIE responses so that all servers
+                  have the same behavior is provided out of an abundance of
+                  caution. DNS COOKIE is an important security mechanism,
+                  and should not be disabled unless absolutely necessary.
                 </p>
               </dd>
 <dt><span class="term"><span class="command"><strong>send-cookie</strong></span></span></dt>
@@ -9271,6 +9304,7 @@ view "external" {
 	<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
 	<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
 	<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnssec-secure-to-insecure</strong></span> <em class="replaceable"><code>boolean</code></em>;
@@ -9321,6 +9355,7 @@ view "external" {
 	<span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
 	<span class="command"><strong>dialup</strong></span> ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );
 	<span class="command"><strong>dlz</strong></span> <em class="replaceable"><code>string</code></em>;
+	<span class="command"><strong>dnskey-sig-validity</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnssec-dnskey-kskonly</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>dnssec-loadkeys-interval</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>dnssec-update-mode</strong></span> ( maintain | no-resign );
@@ -9344,6 +9379,7 @@ view "external" {
 	<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
 	<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+	<span class="command"><strong>mirror</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
 	<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
 	<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
@@ -10389,6 +10425,65 @@ example.com. NS ns2.example.net.
                     behavior is disabled by default.
                   </p>
                 </dd>
+<dt><span class="term"><span class="command"><strong>mirror</strong></span></span></dt>
+<dd>
+                  <p>
+                    If set to <strong class="userinput"><code>yes</code></strong>, this causes the
+                    zone to become a mirror zone.  A mirror zone is a
+                    <strong class="userinput"><code>secondary</code></strong> zone whose data
+                    is subject to DNSSEC validation before being
+                    used in answers.  The default is
+                    <strong class="userinput"><code>no</code></strong>.
+                  </p>
+                  <p>
+                    A mirror zone's contents are validated during the transfer
+                    process, and again when the zone file is loaded from disk
+                    when <span class="command"><strong>named</strong></span> is restarted.  If validation
+                    fails, a retransfer of the zone is scheduled; if the mirror
+                    zone had not previously been loaded or if the previous
+                    version has expired, traditional DNS recursion will be used
+                    to look up the answers instead.
+                  </p>
+                  <p>
+                    For validation to succeed, a key-signing key (KSK) for
+                    the zone must be configured as a trust anchor in
+                    <code class="filename">named.conf</code>:
+                    that is, a key for the zone must either be specified in
+                    <span class="command"><strong>managed-keys</strong></span> or
+                    <span class="command"><strong>trusted-keys</strong></span>, or in the case of
+                    the root zone, <span class="command"><strong>dnssec-validation</strong></span>
+                    must be set to <strong class="userinput"><code>auto</code></strong>.
+                    Answers coming from a mirror zone look almost exactly like
+                    answers from a normal slave zone, with the notable
+                    exceptions that the AA bit ("authoritative answer") is
+                    not set, and the AD bit ("authenticated data") is.
+                  </p>
+                  <p>
+                    Though this option can be used for other zones, it
+                    is intended to be used to set up a fast local copy of
+                    the root zone, as described in RFC 7706.
+                    This can be done by using the following configuration:
+                  </p>
+<pre class="programlisting">zone "." {
+        type slave;
+        mirror yes;
+        file "root.mirror";
+        masters {
+                192.228.79.201;       # b.root-servers.net
+                192.33.4.12;          # c.root-servers.net
+                192.5.5.241;          # f.root-servers.net
+                192.112.36.4;         # g.root-servers.net
+                193.0.14.129;         # k.root-servers.net
+                192.0.47.132;         # xfr.cjr.dns.icann.org
+                192.0.32.132;         # xfr.lax.dns.icann.org
+                2001:500:84::b;       # b.root-servers.net
+                2001:500:2f::f;       # f.root-servers.net
+                2001:7fd::1;          # k.root-servers.net
+                2620:0:2830:202::132; # xfr.cjr.dns.icann.org
+                2620:0:2d0:202::132;  # xfr.lax.dns.icann.org
+        };
+};</pre>
+                </dd>
 <dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
 <dd>
                   <p>
@@ -14715,6 +14810,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 8a2d3c293a..3b584347bd 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -361,6 +361,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 11eedc07e3..877878f98b 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -136,6 +136,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 8e465ba54f..bb6a491f4a 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.2</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -54,7 +54,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.13.2</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -122,6 +122,19 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p>
+	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+	  of a zone's contents without acting as an authority for the
+	  zone. A zone must be fully validated against an active trust
+	  anchor before it can be used as a mirror zone. DNS responses
+	  from mirror zones do not set the AA bit ("authoritative answer"),
+	  but do set the AD bit ("authenticated data"). This feature is
+	  meant to facilitate deployment of a local copy of the root zone,
+	  as described in RFC 7706. [GL #33]
+	</p>
+      </li>
 <li class="listitem">
 	<p>
 	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
@@ -148,6 +161,26 @@
 	  signatures covering DNSKEY RRsets. [GL #145]
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  Support for QNAME minimization was added and enabled by default
+	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+	  to normal resolution if the remote server returns something
+	  unexpected during the query minimization process. This default
+	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
+	  library to set process privileges.  The adds a new compile-time
+	  dependency, which can be met on most Linux platforms by installing the
+	  <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
+	  package. BIND can also be built without capability support by using
+	  <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
+	  loss of security.
+	</p>
+      </li>
 </ul></div>
   </div>
 
@@ -239,6 +272,23 @@
 	  signatures and digest, nor it will validate them.
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  Add the ability to not return a DNS COOKIE option when one
+	  is present in the request.  To prevent a cookie being returned
+	  add 'answer-cookie no;' to named.conf. [GL #173]
+	</p>
+	<p>
+	  <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
+	  measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
+	  with other servers that do not yet support DNS COOKIE.  A mismatch
+	  between servers on the same address is not expected to cause
+	  operational problems, but the option to disable COOKIE responses so
+	  that all servers have the same behavior is provided out of an
+	  abundance of caution. DNS COOKIE is an important security mechanism,
+	  and should not be disabled unless absolutely necessary.
+	</p>
+      </li>
 </ul></div>
   </div>
 
@@ -340,7 +390,10 @@
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  None.
+	  <span class="command"><strong>named</strong></span> now rejects excessively large
+	  incremental (IXFR) zone transfers in order to prevent
+	  possible corruption of journal files which could cause
+	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
 	</p>
       </li></ul></div>
   </div>
@@ -417,6 +470,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index f980946862..30e233636c 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index a632958a7a..cc3761924e 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 8da69d14b4..41f0c4c4b5 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 4f527a66aa..6a1658d2c2 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -206,6 +206,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index a54219b28f..7ee1d9ab93 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.13.1</p></div>
+<div><p class="releaseinfo">BIND Version 9.13.2</p></div>
 <div><p class="copyright">Copyright © 2000-2018 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -234,7 +234,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.1</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.13.2</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -428,6 +428,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 3402436b95..429eda9f68 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index 539a0c3403..c93a10f549 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 4355f6d6e3..1094658802 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index be0255c7fc..0b65a52ff3 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index b3b7c5edc2..b7783a3f03 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1138,6 +1138,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index 43263f415a..ad5a7d5733 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 7cbc8b3e5a..d62f72db56 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 0fb20c818d..2b28459096 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index 1fa88b17dd..b8e2052df5 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -289,6 +289,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index ca8a348eef..30b483db40 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index eaa3e3725a..6a8f47ebb8 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index e5ea4d49cb..278c364bec 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -568,6 +568,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index 46eec521a5..aaad294748 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -388,6 +388,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index f64712afe7..4671a24372 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 114c69497f..030bb0d157 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index b3f15e90f6..a74775ba12 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -700,6 +700,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 5e67319921..a73388f737 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index d6f78df0ff..0b260eca2c 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -142,6 +142,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 51d1feb7d2..1b4554ca9b 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -375,6 +375,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index a5ea3b4a8c..d26077e168 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -610,6 +610,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index a0937c71b9..f2bed10be9 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index ae757b8a0c..babf2c8000 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 7fe80bb2e9..2e5dee4a68 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index d96477993a..0f85dc1d36 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index f4500ea949..51b95dda87 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 148490eca4..35fb36a641 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -211,7 +211,7 @@ options
 	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
 	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
 	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
@@ -250,6 +250,7 @@ options
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
@@ -298,14 +299,13 @@ options
 	fstrm-set-output-notify-threshold <em class="replaceable"><code>integer</code></em>;<br>
 	fstrm-set-output-queue-model ( mpsc | spsc );<br>
 	fstrm-set-output-queue-size <em class="replaceable"><code>integer</code></em>;<br>
-	fstrm-set-reopen-interval <em class="replaceable"><code>integer</code></em>;<br>
+	fstrm-set-reopen-interval <em class="replaceable"><code>ttlval</code></em>;<br>
 	geoip-directory ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	geoip-use-ecs <em class="replaceable"><code>boolean</code></em>;<br>
 	glue-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
 	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	inline-signing <em class="replaceable"><code>boolean</code></em>;<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
+	interface-interval <em class="replaceable"><code>ttlval</code></em>;<br>
 	ixfr-from-differences ( primary | master | secondary | slave |<br>
 	    <em class="replaceable"><code>boolean</code></em> );<br>
 	keep-response-order { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -324,10 +324,10 @@ options
 	masterfile-style ( full | relative );<br>
 	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
@@ -368,6 +368,7 @@ options
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
 	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	qname-minimization ( strict | relaxed | disabled );<br>
 	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
 	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
 	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
@@ -407,18 +408,19 @@ options
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
 	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
 	    } ];<br>
 	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
 	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
 	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	secroots-file <em class="replaceable"><code>quoted_string</code></em>;<br>
@@ -567,7 +569,7 @@ view
 	    <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<br>
 	    port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key<br>
 	    <em class="replaceable"><code>string</code></em> ]; ... } ] [ zone-directory <em class="replaceable"><code>quoted_string</code></em> ] [<br>
-	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ]; ... };<br>
+	    in-memory <em class="replaceable"><code>boolean</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ]; ... };<br>
 	check-dup-records ( fail | warn | ignore );<br>
 	check-integrity <em class="replaceable"><code>boolean</code></em>;<br>
 	check-mx ( fail | warn | ignore );<br>
@@ -605,6 +607,7 @@ view
 	};<br>
 	dns64-contact <em class="replaceable"><code>string</code></em>;<br>
 	dns64-server <em class="replaceable"><code>string</code></em>;<br>
+	dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 	dnsrps-enable <em class="replaceable"><code>boolean</code></em>;<br>
 	dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em> };<br>
 	dnssec-accept-expired <em class="replaceable"><code>boolean</code></em>;<br>
@@ -658,10 +661,10 @@ view
 	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
 	max-cache-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> | <em class="replaceable"><code>percentage</code></em> );<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-cache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>integer</code></em>;<br>
 	max-journal-size ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
+	max-ncache-ttl <em class="replaceable"><code>ttlval</code></em>;<br>
 	max-records <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-depth <em class="replaceable"><code>integer</code></em>;<br>
 	max-recursion-queries <em class="replaceable"><code>integer</code></em>;<br>
@@ -696,6 +699,7 @@ view
 	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
 	prefetch <em class="replaceable"><code>integer</code></em> [ <em class="replaceable"><code>integer</code></em> ];<br>
 	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
+	qname-minimization ( strict | relaxed | disabled );<br>
 	query-source ( ( [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port (<br>
 	    <em class="replaceable"><code>integer</code></em> | * ) ] ) | ( [ [ address ] ( <em class="replaceable"><code>ipv4_address</code></em> | * ) ]<br>
 	    port ( <em class="replaceable"><code>integer</code></em> | * ) ) ) [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
@@ -730,18 +734,19 @@ view
 	response-padding { <em class="replaceable"><code>address_match_element</code></em>; ... } block-size<br>
 	    <em class="replaceable"><code>integer</code></em>;<br>
 	response-policy { zone <em class="replaceable"><code>quoted_string</code></em> [ log <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    policy ( cname | disabled | drop | given | no-op | nodata |<br>
 	    nxdomain | passthru | tcp-only <em class="replaceable"><code>quoted_string</code></em> ) ] [<br>
 	    recursive-only <em class="replaceable"><code>boolean</code></em> ] [ nsip-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsdname-enable <em class="replaceable"><code>boolean</code></em> ]; ... } [ break-dnssec <em class="replaceable"><code>boolean</code></em> ] [<br>
-	    max-policy-ttl <em class="replaceable"><code>integer</code></em> ] [ min-update-interval <em class="replaceable"><code>integer</code></em> ] [<br>
+	    max-policy-ttl <em class="replaceable"><code>ttlval</code></em> ] [ min-update-interval <em class="replaceable"><code>ttlval</code></em> ] [<br>
 	    min-ns-dots <em class="replaceable"><code>integer</code></em> ] [ nsip-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    qname-wait-recurse <em class="replaceable"><code>boolean</code></em> ] [ recursive-only <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    nsip-enable <em class="replaceable"><code>boolean</code></em> ] [ nsdname-enable <em class="replaceable"><code>boolean</code></em> ] [<br>
 	    dnsrps-enable <em class="replaceable"><code>boolean</code></em> ] [ dnsrps-options { <em class="replaceable"><code>unspecified-text</code></em><br>
 	    } ];<br>
 	root-delegation-only [ exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } ];<br>
+	root-key-sentinel <em class="replaceable"><code>boolean</code></em>;<br>
 	rrset-order { [ class <em class="replaceable"><code>string</code></em> ] [ type <em class="replaceable"><code>string</code></em> ] [ name<br>
 	    <em class="replaceable"><code>quoted_string</code></em> ] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ... };<br>
 	send-cookie <em class="replaceable"><code>boolean</code></em>;<br>
@@ -834,6 +839,7 @@ view
 		dialup ( notify | notify-passive | passive | refresh |<br>
 		    <em class="replaceable"><code>boolean</code></em> );<br>
 		dlz <em class="replaceable"><code>string</code></em>;<br>
+		dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 		dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 		dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 		dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@@ -865,6 +871,7 @@ view
 		max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 		min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 		min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+		mirror <em class="replaceable"><code>boolean</code></em>;<br>
 		multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 		notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 		notify-delay <em class="replaceable"><code>integer</code></em>;<br>
@@ -941,6 +948,7 @@ zone
 	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
 	dialup ( notify | notify-passive | passive | refresh | <em class="replaceable"><code>boolean</code></em> );<br>
 	dlz <em class="replaceable"><code>string</code></em>;<br>
+	dnskey-sig-validity <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-dnskey-kskonly <em class="replaceable"><code>boolean</code></em>;<br>
 	dnssec-loadkeys-interval <em class="replaceable"><code>integer</code></em>;<br>
 	dnssec-secure-to-insecure <em class="replaceable"><code>boolean</code></em>;<br>
@@ -970,6 +978,7 @@ zone
 	max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
+	mirror <em class="replaceable"><code>boolean</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
 	notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
 	notify-delay <em class="replaceable"><code>integer</code></em>;<br>
@@ -1057,6 +1066,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index ef1ca972d5..d5504ed9de 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index e606b9ca20..2ecb7ee4d7 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 1b81135c3f..8d00c3b47e 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -420,6 +420,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 7bb6ecdb0e..1fadeed2f4 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index 73972fad85..6183a1191d 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index 7f314c46cc..1f43d646bc 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index d8e110a200..b43ca056cf 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 5fff2b1c24..c8ea3b149f 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 773fce6f08..b51df9f4df 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index d5fd1a25ef..e8d8ee13c6 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 4f6c5f5c26..66d163eb21 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1010,6 +1010,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.1 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.2 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 96024a4fb7..664cf07c60 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.13.1</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.13.2</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -83,6 +83,19 @@
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+	<p>
+	  A new secondary zone option, <span class="command"><strong>mirror</strong></span>,
+	  enables <span class="command"><strong>named</strong></span> to serve a transferred copy
+	  of a zone's contents without acting as an authority for the
+	  zone. A zone must be fully validated against an active trust
+	  anchor before it can be used as a mirror zone. DNS responses
+	  from mirror zones do not set the AA bit ("authoritative answer"),
+	  but do set the AD bit ("authenticated data"). This feature is
+	  meant to facilitate deployment of a local copy of the root zone,
+	  as described in RFC 7706. [GL #33]
+	</p>
+      </li>
 <li class="listitem">
 	<p>
 	  BIND now can be compiled against the <span class="command"><strong>libidn2</strong></span>
@@ -109,6 +122,26 @@
 	  signatures covering DNSKEY RRsets. [GL #145]
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  Support for QNAME minimization was added and enabled by default
+	  in <span class="command"><strong>relaxed</strong></span> mode, in which BIND will fall back
+	  to normal resolution if the remote server returns something
+	  unexpected during the query minimization process. This default
+	  setting might change to <span class="command"><strong>strict</strong></span> in the future.
+	</p>
+      </li>
+<li class="listitem">
+	<p>
+	  When built on Linux, BIND now requires the <span class="command"><strong>libcap</strong></span>
+	  library to set process privileges.  The adds a new compile-time
+	  dependency, which can be met on most Linux platforms by installing the
+	  <span class="command"><strong>libcap-dev</strong></span> or <span class="command"><strong>libcap-devel</strong></span>
+	  package. BIND can also be built without capability support by using
+	  <span class="command"><strong>configure --disable-linux-caps</strong></span>, at the cost of some
+	  loss of security.
+	</p>
+      </li>
 </ul></div>
   </div>
 
@@ -200,6 +233,23 @@
 	  signatures and digest, nor it will validate them.
 	</p>
       </li>
+<li class="listitem">
+	<p>
+	  Add the ability to not return a DNS COOKIE option when one
+	  is present in the request.  To prevent a cookie being returned
+	  add 'answer-cookie no;' to named.conf. [GL #173]
+	</p>
+	<p>
+	  <span class="command"><strong>answer-cookie</strong></span> is only intended as a temporary
+	  measure, for use when <span class="command"><strong>named</strong></span> shares an IP address
+	  with other servers that do not yet support DNS COOKIE.  A mismatch
+	  between servers on the same address is not expected to cause
+	  operational problems, but the option to disable COOKIE responses so
+	  that all servers have the same behavior is provided out of an
+	  abundance of caution. DNS COOKIE is an important security mechanism,
+	  and should not be disabled unless absolutely necessary.
+	</p>
+      </li>
 </ul></div>
   </div>
 
@@ -301,7 +351,10 @@
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  None.
+	  <span class="command"><strong>named</strong></span> now rejects excessively large
+	  incremental (IXFR) zone transfers in order to prevent
+	  possible corruption of journal files which could cause
+	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
 	</p>
       </li></ul></div>
   </div>
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 987ce27735..0f9473fd88 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 7df71bd749..732a65bf8e 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.13.1
+Release Notes for BIND Version 9.13.2
 
 Introduction
 
@@ -41,6 +41,15 @@ Security Fixes
 
 New Features
 
+  * A new secondary zone option, mirror, enables named to serve a
+    transferred copy of a zone's contents without acting as an authority
+    for the zone. A zone must be fully validated against an active trust
+    anchor before it can be used as a mirror zone. DNS responses from
+    mirror zones do not set the AA bit ("authoritative answer"), but do
+    set the AD bit ("authenticated data"). This feature is meant to
+    facilitate deployment of a local copy of the root zone, as described
+    in RFC 7706. [GL #33]
+
   * BIND now can be compiled against the libidn2 library to add IDNA2008
     support. Previously, BIND supported IDNA2003 using the (now obsolete
     and unsupported) idnkit-1 library.
@@ -54,6 +63,19 @@ New Features
   * The dnskey-sig-validity option allows the sig-validity-interval to be
     overriden for signatures covering DNSKEY RRsets. [GL #145]
 
+  * Support for QNAME minimization was added and enabled by default in
+    relaxed mode, in which BIND will fall back to normal resolution if the
+    remote server returns something unexpected during the query
+    minimization process. This default setting might change to strict in
+    the future.
+
+  * When built on Linux, BIND now requires the libcap library to set
+    process privileges. The adds a new compile-time dependency, which can
+    be met on most Linux platforms by installing the libcap-dev or
+    libcap-devel package. BIND can also be built without capability
+    support by using configure --disable-linux-caps, at the cost of some
+    loss of security.
+
 Removed Features
 
   * named can no longer use the EDNS CLIENT-SUBNET option for view
@@ -100,6 +122,19 @@ Removed Features
     create new DNSSEC keys, signatures and digest, nor it will validate
     them.
 
+  * Add the ability to not return a DNS COOKIE option when one is present
+    in the request. To prevent a cookie being returned add 'answer-cookie
+    no;' to named.conf. [GL #173]
+
+    answer-cookie is only intended as a temporary measure, for use when
+    named shares an IP address with other servers that do not yet support
+    DNS COOKIE. A mismatch between servers on the same address is not
+    expected to cause operational problems, but the option to disable
+    COOKIE responses so that all servers have the same behavior is
+    provided out of an abundance of caution. DNS COOKIE is an important
+    security mechanism, and should not be disabled unless absolutely
+    necessary.
+
 Feature Changes
 
   * BIND will now always use the best CSPRNG (cryptographically-secure
@@ -145,7 +180,9 @@ Feature Changes
 
 Bug Fixes
 
-  * None.
+  * named now rejects excessively large incremental (IXFR) zone transfers
+    in order to prevent possible corruption of journal files which could
+    cause named to abort when loading zones. [GL #339]
 
 License
 
diff --git a/doc/misc/options b/doc/misc/options
index 72a852b2ff..41686fb475 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -79,7 +79,7 @@ options {
             ] [ dscp <integer> ];
         alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
             * ) ] [ dscp <integer> ];
-        answer-cookie <boolean>; // obsolete
+        answer-cookie <boolean>;
         attach-cache <string>;
         auth-nxdomain <boolean>; // default changed
         auto-dnssec ( allow | maintain | off );
@@ -206,7 +206,7 @@ options {
         listen-on-v6 [ port <integer> ] [ dscp
             <integer> ] {
             <address_match_element>; ... }; // may occur multiple times
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         lock-file ( <quoted_string> | none );
         maintain-ixfr-base <boolean>; // obsolete
         managed-keys-directory <quoted_string>;
@@ -241,6 +241,7 @@ options {
         min-roots <integer>; // not implemented
         minimal-any <boolean>;
         minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+        mirror <boolean>;
         multi-master <boolean>;
         multiple-cnames <boolean>; // obsolete
         named-xfer <quoted_string>; // obsolete
@@ -265,7 +266,7 @@ options {
         preferred-glue <string>;
         prefetch <integer> [ <integer> ];
         provide-ixfr <boolean>;
-        qname-minimization ( strict | relaxed | disabled );
+        qname-minimization ( strict | relaxed | disabled | off );
         query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
             <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
             port ( <integer> | * ) ) ) [ dscp <integer> ];
@@ -545,7 +546,7 @@ view <string> [ <class> ] {
         }; // may occur multiple times
         key-directory <quoted_string>;
         lame-ttl <ttlval>;
-        lmdb-mapsize <sizeval>;
+        lmdb-mapsize <sizeval>; // non-operational
         maintain-ixfr-base <boolean>; // obsolete
         managed-keys { <string> <string>
             <integer> <integer> <integer>
@@ -580,6 +581,7 @@ view <string> [ <class> ] {
         min-roots <integer>; // not implemented
         minimal-any <boolean>;
         minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+        mirror <boolean>;
         multi-master <boolean>;
         new-zones-directory <quoted_string>;
         no-case-compress { <address_match_element>; ... };
@@ -599,7 +601,7 @@ view <string> [ <class> ] {
         preferred-glue <string>;
         prefetch <integer> [ <integer> ];
         provide-ixfr <boolean>;
-        qname-minimization ( strict | relaxed | disabled );
+        qname-minimization ( strict | relaxed | disabled | off );
         query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
             <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
             port ( <integer> | * ) ) ) [ dscp <integer> ];
diff --git a/lib/bind9/api b/lib/bind9/api
index f6a05db88f..c1affa8804 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13: 1300-1399
 LIBINTERFACE = 1300
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/dns/api b/lib/dns/api
index 2e3dc0c30e..18e8a01a04 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1301
+LIBINTERFACE = 1302
 LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index 2e3dc0c30e..8def9e4cd0 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169,1100-1199
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1301
+LIBINTERFACE = 1302
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 298b164cd6..2c3ba57dd8 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13: 1300-1399
 LIBINTERFACE = 1301
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 1
diff --git a/lib/ns/api b/lib/ns/api
index a159a1e446..7ae54ff516 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -9,6 +9,6 @@
 # 9.11: 160-169
 # 9.12: 1200-1299
 # 9.13: 1300-1399
-LIBINTERFACE = 1301
+LIBINTERFACE = 1302
 LIBREVISION = 0
-LIBAGE = 1
+LIBAGE = 0
diff --git a/version b/version
index 38fd269f3f..f593e76281 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=13
-PATCHVER=1
+PATCHVER=2
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=