diff --git a/doc/arm/notes-9.14.12.xml b/doc/arm/notes-9.14.12.xml
index 47b919e0ef..42761216b8 100644
--- a/doc/arm/notes-9.14.12.xml
+++ b/doc/arm/notes-9.14.12.xml
@@ -13,6 +13,17 @@
 
   <section xml:id="relnotes-9.14.12-security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+        <para>
+          To prevent exhaustion of server resources by a maliciously configured
+          domain, the number of recursive queries that can be triggered by a
+          request before aborting recursion has been further limited. Root and
+          top-level domain servers are no longer exempt from the
+          <command>max-recursion-queries</command> limit. Fetches for missing
+          name server address records are limited to 4 for any domain. This
+          issue was disclosed in CVE-2020-8616. [GL #1388]
+        </para>
+      </listitem>
       <listitem>
         <para>
           Replaying a TSIG BADTIME response as a request could