Tweak and reword release notes

Two inconsequential bug fixes are not release note worthy.
Use more user-centric terminology about dnssec-policy manual-mode.
Add links, shorten notes.

doc/notes/notes-9.21.12.rst

@@ -15,21 +15,20 @@ Notes for BIND 9.21.12
 New Features
 ~~~~~~~~~~~~
 
-- Add manual mode configuration option to dnsec-policy.
+- Add a new option ``manual-mode`` to :any:`dnssec-policy`.
 
-  Add a new option ``manual-mode`` to :any:`dnssec-policy`. The intended
-  use is that if it is enabled, it will not automatically move to the
-  next state transition, but instead the transition is logged. Only
-  after manual confirmation with ``rndc dnssec -step`` the transition is
-  made. :gl:`#4606`
+  When enabled, :iscman:`named` will not modify DNSSEC keys or key states
+  automatically. The proposed change will be logged and only after manual
+  confirmation with ``rndc dnssec -step`` will the modification be made.
+  :gl:`#4606`
 
-- Add a new 'servfail-until-ready' configuration option for RPZ.
+- Add a new option ``servfail-until-ready`` to :namedconf:ref:`response-policy`
+  zones.
 
-  By default, when :iscman:`named` is started it may start answering to
-  queries before the response policy zones are completely loaded and
-  processed. This new feature gives an option to the users to tell
-  :iscman:`named` that incoming requests should result in SERVFAIL
-  answer until all the response policy zones are processed and ready.
+  By default, when :iscman:`named` is started, it starts answering
+  queries before all response policy zones are completely loaded and
+  processed. This new option instructs :iscman:`named` to respond with
+  SERVFAIL until all the response policy zones are processed and ready.
   Note that if one or more response policy zones fail to load,
   :iscman:`named` starts responding to queries according to those zones
   that did load. :gl:`#5222`
@@ -41,7 +40,7 @@ New Features
 Removed Features
 ~~~~~~~~~~~~~~~~
 
-- Deprecate the "tkey-gssapi-credential" statement.
+- Deprecate the :namedconf:ref:`tkey-gssapi-credential` statement.
 
   The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up
   in a simpler and more reliable way than using the
@@ -58,7 +57,7 @@ Removed Features
 
 - Obsolete the "tkey-domain" statement.
 
-  Mark the ``tkey-domain`` statement as obsolete, since it has not had
+  Mark the ``tkey-domain`` statement as obsolete because it has not had
   any effect on server behavior since support for TKEY Mode 2
   (Diffie-Hellman) was removed (in BIND 9.20.0). :gl:`#4204`
 
@@ -68,26 +67,13 @@ Bug Fixes
 - Prevent spurious SERVFAILs for certain 0-TTL resource records.
 
   Under certain circumstances, BIND 9 can return SERVFAIL when updating
-  existing entries in the cache with new NS, A, AAAA, or DS records with
-  0-TTL. :gl:`#5294`
+  existing entries in the cache with new NS, A, AAAA, or DS records that have a
+  TTL of zero. :gl:`#5294`
 
-- Batch minor meson fixes.
+- Fix unexpected termination if :namedconf:ref:`catalog-zones` had undefined
+  ``default-primaries``.
 
-  This MR fixes various meson issues that are found after the first
-  meson release and are too small to have a MR on their own. :gl:`#5379`
-
-- RPZ canonical warning displays zone entry incorrectly.
-
-  When an IPv6 rpz prefix entry is entered incorrectly the log message
-  was just displaying the prefix rather than the full entry.  This has
-  been corrected. :gl:`#5491`
-
-- Fix a catalog zone issue when having an unset 'default-primaries'
-  configuration clause.
-
-  A catalog zone with an unset ``default-primaries`` clause could cause
-  an unexpected termination of the :iscman:`named` process after two
-  reloading or reconfiguration commands. This has been fixed.
+  The issue manifested only if the server was reloaded or reconfigured twice.
   :gl:`#5494`