From: Tinderbox User <tbox@isc.org>
Date: Wed, 2 Oct 2019 05:59:18 +0000 (+0000)
Subject: prep 9.15.5
X-Git-Tag: v9.15.5^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0729d194c90262fdaf431fdc44306239083137f1;p=thirdparty%2Fbind9.git

prep 9.15.5
---

diff --git a/CHANGES b/CHANGES
index 0e582e6c511..78529403083 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+	--- 9.15.5 released ---
+
 5299.	[security]	A flaw in DNSSEC verification when transferring
 			mirror zones could allow data to be incorrectly
 			marked valid. (CVE-2019-6475) [GL #16P]
diff --git a/README b/README
index acca352806d..3f530296aa4 100644
--- a/README
+++ b/README
@@ -361,7 +361,9 @@ Acknowledgments
 
   * This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
   * This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
+
   * This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 4319abf766c..4e0cfcb2e24 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index 9d6a6fee5de..dcfea3d629e 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 801bc447ca1..c7e0e55f416 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 21e2b020cfd..7454502d31e 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2840,6 +2840,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index ee0dc40f282..8b41f1cbafd 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14897,6 +14897,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index 4ef63d93ac2..18673c4048f 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -360,6 +360,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 38fcd9c5c29..50d1cf31f36 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 098f23cf248..50135dec4d7 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -55,472 +55,476 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.4</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-    <p>
-      BIND 9.15 is an unstable development release of BIND.
-      This document summarizes new features and functional changes that
-      have been introduced on this branch.  With each development release
-      leading up to the stable BIND 9.16 release, this document will be
-      updated with additional features added and bugs fixed.
-    </p>
-  </div>
-
+  <p>
+    BIND 9.15 is an unstable development release of BIND.
+    This document summarizes new features and functional changes that
+    have been introduced on this branch.  With each development release
+    leading up to the stable BIND 9.16 release, this document will be
+    updated with additional features added and bugs fixed.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
-    <p>
-      Until BIND 9.12, new feature development releases were tagged
-      as "alpha" and "beta", leading up to the first stable release
-      for a given development branch, which always ended in ".0".
-      More recently, BIND adopted the "odd-unstable/even-stable"
-      release numbering convention. There will be no "alpha" or "beta"
-      releases in the 9.15 branch, only increasing version numbers.
-      So, for example, what would previously have been called 9.15.0a1,
-      9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
-      9.15.1, 9.15.2, etc.
-    </p>
-    <p>
-      The first stable release from this development branch will be
-      renamed as 9.16.0. Thereafter, maintenance releases will continue
-      on the 9.16 branch, while unstable feature development proceeds in
-      9.17.
-    </p>
-  </div>
-
+  <p>
+    Until BIND 9.12, new feature development releases were tagged
+    as "alpha" and "beta", leading up to the first stable release
+    for a given development branch, which always ended in ".0".
+    More recently, BIND adopted the "odd-unstable/even-stable"
+    release numbering convention. There will be no "alpha" or "beta"
+    releases in the 9.15 branch, only increasing version numbers.
+    So, for example, what would previously have been called 9.15.0a1,
+    9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+    9.15.1, 9.15.2, etc.
+  </p>
+  <p>
+    The first stable release from this development branch will be
+    renamed as 9.16.0. Thereafter, maintenance releases will continue
+    on the 9.16 branch, while unstable feature development proceeds in
+    9.17.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
-    <p>
-      To build on UNIX-like systems, BIND requires support for POSIX.1c
-      threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
-      IPv6 (RFC 3542), and standard atomic operations provided by the
-      C compiler.
-    </p>
-    <p>
-      The OpenSSL cryptography library must be available for the target
-      platform.  A PKCS#11 provider can be used instead for Public Key
-      cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-      still required for general cryptography operations such as hashing
-      and random number generation.
-    </p>
-    <p>
-      More information can be found in the <code class="filename">PLATFORMS.md</code>
-      file that is included in the source distribution of BIND 9.  If your
-      compiler and system libraries provide the above features, BIND 9
-      should compile and run. If that isn't the case, the BIND
-      development team will generally accept patches that add support
-      for systems that are still supported by their respective vendors.
-    </p>
-  </div>
-
+  <p>
+    To build on UNIX-like systems, BIND requires support for POSIX.1c
+    threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+    IPv6 (RFC 3542), and standard atomic operations provided by the
+    C compiler.
+  </p>
+  <p>
+    The OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead for Public Key
+    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+    still required for general cryptography operations such as hashing
+    and random number generation.
+  </p>
+  <p>
+    More information can be found in the <code class="filename">PLATFORMS.md</code>
+    file that is included in the source distribution of BIND 9.  If your
+    compiler and system libraries provide the above features, BIND 9
+    should compile and run. If that isn't the case, the BIND
+    development team will generally accept patches that add support
+    for systems that are still supported by their respective vendors.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-    <p>
-      The latest versions of BIND 9 software can always be found at
-      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    </p>
-  </div>
-
+  <p>
+    The latest versions of BIND 9 software can always be found at
+    <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+    There you will find additional information about each release,
+    source code, and pre-compiled versions for Microsoft Windows
+    operating systems.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
-	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
-	  was in use and a redirected query resulted in an NXDOMAIN from the
-	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
-	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. This flaw is disclosed in
-	  CVE-2018-5743. [GL #615]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A race condition could trigger an assertion failure when
-	  a large number of incoming packets were being rejected.
-	  This flaw is disclosed in CVE-2019-6471. [GL #942]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+        option could be exceeded in some cases. This could lead to
+        exhaustion of file descriptors. This flaw is disclosed in
+        CVE-2018-5743. [GL #615]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        In certain configurations, <span class="command"><strong>named</strong></span> could crash
+        with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+        was in use and a redirected query resulted in an NXDOMAIN from the
+        cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        A race condition could trigger an assertion failure when
+        a large number of incoming packets were being rejected.
+        This flaw is disclosed in CVE-2019-6471. [GL #942]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	<span class="command"><strong>named</strong></span> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1501]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #16P]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-          Added a new command line option to <span class="command"><strong>dig</strong></span>:
-	  <span style="color: red">&lt;comand&gt;+[no]unexpected&lt;/comand&gt;</span>. By default, <span class="command"><strong>dig</strong></span>
-	  won't accept a reply from a source other than the one to which
-	  it sent the query.  Add the <span class="command"><strong>+unexpected</strong></span> argument
-	  to enable it to process replies from unexpected sources.
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  The GeoIP2 API from MaxMind is now supported. Geolocation support
-	  will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
-	  library is found at compile time, but can be turned off by using
-	  <span class="command"><strong>configure --disable-geoip</strong></span>.
-	</p>
-	<p>
-	  The default path to the GeoIP2 databases will be set based
-	  on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
-	  for example, if it is in <code class="filename">/usr/local/lib</code>,
-	  then the default path will be
-	  <code class="filename">/usr/local/share/GeoIP</code>.
-	  This value can be overridden in <code class="filename">named.conf</code>
-	  using the <span class="command"><strong>geoip-directory</strong></span> option.
-	</p>
-	<p>
-	  Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
-	  legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
-	  <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
-	  no longer work when using GeoIP2. Supported GeoIP2 database
-	  types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
-	  <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
-	  <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
-	  and IPv6 lookups. [GL #182] [GL #1112]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  In order to clarify the configuration of DNSSEC keys,
-	  the <span class="command"><strong>trusted-keys</strong></span> and
-	  <span class="command"><strong>managed-keys</strong></span> statements have been
-	  deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
-	  statement should now be used for both types of key.
-	</p>
-	<p>
-	  When used with the keyword <span class="command"><strong>initial-key</strong></span>,
-	  <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
-	  <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
-	  a trust anchor that is to be maintained via RFC 5011.
-	</p>
-	<p>
-	  When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
-	  has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
-	  configuring a permanent trust anchor that will not automatically
-	  be updated.  (This usage is not recommended for the root key.)
-	  [GL #6]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
-	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
-	  should be included in the additional section of RPZ responses.
-	  [GL #865]
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new metrics have been added to the
-	  <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
-	  signing operations.  For each key in each zone, the
-	  <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
-	  number of signatures <span class="command"><strong>named</strong></span> has generated
-	  using that key since server startup, and the
-	  <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
-	  many of those signatures were refreshed during zone
-	  maintenance, as opposed to having been generated
-	  as a result of a zone update.  [GL #513]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Statistics channel groups are now toggleable. [GL #1030]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
-	  <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
-	  option to print output in a a detailed YAML format. [RT #1145]
-        </p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        Added a new command line option to <span class="command"><strong>dig</strong></span>:
+        <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
+        won't accept a reply from a source other than the one to which
+        it sent the query.  Add the <span class="command"><strong>+unexpected</strong></span> argument
+        to enable it to process replies from unexpected sources.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The GeoIP2 API from MaxMind is now supported. Geolocation support
+        will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
+        library is found at compile time, but can be turned off by using
+        <span class="command"><strong>configure --disable-geoip</strong></span>.
+      </p>
+      <p>
+        The default path to the GeoIP2 databases will be set based
+        on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+        for example, if it is in <code class="filename">/usr/local/lib</code>,
+        then the default path will be
+        <code class="filename">/usr/local/share/GeoIP</code>.
+        This value can be overridden in <code class="filename">named.conf</code>
+        using the <span class="command"><strong>geoip-directory</strong></span> option.
+      </p>
+      <p>
+        Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+        legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+        <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+        no longer work when using GeoIP2. Supported GeoIP2 database
+        types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+        <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+        <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
+        and IPv6 lookups. [GL #182] [GL #1112]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        In order to clarify the configuration of DNSSEC keys,
+        the <span class="command"><strong>trusted-keys</strong></span> and
+        <span class="command"><strong>managed-keys</strong></span> statements have been
+        deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
+        statement should now be used for both types of key.
+      </p>
+      <p>
+        When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+        <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
+        <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+        a trust anchor that is to be maintained via RFC 5011.
+      </p>
+      <p>
+        When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
+        has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
+        configuring a permanent trust anchor that will not automatically
+        be updated.  (This usage is not recommended for the root key.)
+        [GL #6]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+        or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+        should be included in the additional section of RPZ responses.
+        [GL #865]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Two new metrics have been added to the
+        <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+        signing operations.  For each key in each zone, the
+        <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+        number of signatures <span class="command"><strong>named</strong></span> has generated
+        using that key since server startup, and the
+        <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+        many of those signatures were refreshed during zone
+        maintenance, as opposed to having been generated
+        as a result of a zone update.  [GL #513]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Statistics channel groups are now toggleable. [GL #1030]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
+        <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
+        option to print output in a a detailed YAML format. [RT #1145]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
-	  no longer has any effect. DNSSEC responses are always enabled
-	  if signatures and other DNSSEC data are present. [GL #866]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>cleaning-interval</strong></span> option has been
-	  removed.  [GL !1731]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  DNSSEC Lookaside Validation (DLV) is now obsolete.
-	  The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
-	  marked as deprecated; when used in <code class="filename">named.conf</code>,
-	  it will generate a warning but will otherwise be ignored.
-	  All code enabling the use of lookaside validation has been removed
-	  from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
-	  [GL #7]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
+        no longer has any effect. DNSSEC responses are always enabled
+        if signatures and other DNSSEC data are present. [GL #866]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The <span class="command"><strong>cleaning-interval</strong></span> option has been
+        removed.  [GL !1731]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        DNSSEC Lookaside Validation (DLV) is now obsolete.
+        The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
+        marked as deprecated; when used in <code class="filename">named.conf</code>,
+        it will generate a warning but will otherwise be ignored.
+        All code enabling the use of lookaside validation has been removed
+        from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
+        [GL #7]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- 	<p>
- 	  <span class="command"><strong>named</strong></span> will now log a warning if
-	  a static key is configured for the root zone. [GL #6]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When static and managed DNSSEC keys were both configured for the
-	  same name, or when a static key was used to
-	  configure a trust anchor for the root zone and
-	  <span class="command"><strong>dnssec-validation</strong></span> was set to the default
-	  value of <code class="literal">auto</code>, automatic RFC 5011 key
-	  rollovers would be disabled. This combination of settings was
-	  never intended to work, but there was no check for it in the
-	  parser. This has been corrected, and it is now a fatal
-	  configuration error. [GL #868]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  DS and CDS records are now generated with SHA-256 digests
-	  only, instead of both SHA-1 and SHA-256. This affects the
-	  default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
-	  <code class="filename">dsset</code> files generated by
-	  <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
-	  a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
-	  <code class="filename">keyset</code> files, the CDS records added to
-	  a zone by <span class="command"><strong>named</strong></span> and
-	  <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
-	  parameters in key files, and the checks performed by
-	  <span class="command"><strong>dnssec-checkds</strong></span>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  JSON-C is now the only supported library for enabling JSON
-	  support for BIND statistics. The <span class="command"><strong>configure</strong></span>
-	  option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
-	  to <span class="command"><strong>--with-json-c</strong></span>.  Use
-	  <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
-	  the <span class="command"><strong>json-c</strong></span> library as the new
-	  <span class="command"><strong>configure</strong></span> option does not take the library
-	  installation path as an optional argument.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
-	  made default.  Old non-default HMAC-SHA based DNS Cookie algorithms
-	  have been removed, and only the default AES algorithm is being kept
-	  for legacy reasons.  This change doesn't have any operational impact
-	  in most common scenarios. [GL #605]
-	</p>
-	<p>
-	  If you are running multiple DNS Servers (different versions of BIND 9
-	  or DNS server from multiple vendors) responding from the same IP
-	  address (anycast or load-balancing scenarios), you'll have to make
-	  sure that all the servers are configured with the same DNS Cookie
-	  algorithm and same Server Secret for the best performance.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
-	  <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
-	  output.  The standard error output is only used to print warnings and
-	  errors, and in case the user requests the signed zone to be printed to
-	  standard output with <span class="command"><strong>-f -</strong></span> option.  A new
-	  configuration option <span class="command"><strong>-q</strong></span> has been added to silence
-	  all output on standard output except for the name of the signed zone.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  DS records included in DNS referral messages can now be validated
-	  and cached immediately, reducing the number of queries needed for
-	  a DNSSEC validation. [GL #964]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        <span class="command"><strong>named</strong></span> will now log a warning if
+        a static key is configured for the root zone. [GL #6]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        When static and managed DNSSEC keys were both configured for the
+        same name, or when a static key was used to
+        configure a trust anchor for the root zone and
+        <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+        value of <code class="literal">auto</code>, automatic RFC 5011 key
+        rollovers would be disabled. This combination of settings was
+        never intended to work, but there was no check for it in the
+        parser. This has been corrected, and it is now a fatal
+        configuration error. [GL #868]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        DS and CDS records are now generated with SHA-256 digests
+        only, instead of both SHA-1 and SHA-256. This affects the
+        default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+        <code class="filename">dsset</code> files generated by
+        <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+        a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+        <code class="filename">keyset</code> files, the CDS records added to
+        a zone by <span class="command"><strong>named</strong></span> and
+        <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+        parameters in key files, and the checks performed by
+        <span class="command"><strong>dnssec-checkds</strong></span>.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        JSON-C is now the only supported library for enabling JSON
+        support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+        option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+        to <span class="command"><strong>--with-json-c</strong></span>.  Use
+        <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
+        the <span class="command"><strong>json-c</strong></span> library as the new
+        <span class="command"><strong>configure</strong></span> option does not take the library
+        installation path as an optional argument.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+        made default.  Old non-default HMAC-SHA based DNS Cookie algorithms
+        have been removed, and only the default AES algorithm is being kept
+        for legacy reasons.  This change doesn't have any operational impact
+        in most common scenarios. [GL #605]
+      </p>
+      <p>
+        If you are running multiple DNS Servers (different versions of BIND 9
+        or DNS server from multiple vendors) responding from the same IP
+        address (anycast or load-balancing scenarios), you'll have to make
+        sure that all the servers are configured with the same DNS Cookie
+        algorithm and same Server Secret for the best performance.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
+        <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
+        output.  The standard error output is only used to print warnings and
+        errors, and in case the user requests the signed zone to be printed to
+        standard output with <span class="command"><strong>-f -</strong></span> option.  A new
+        configuration option <span class="command"><strong>-q</strong></span> has been added to silence
+        all output on standard output except for the name of the signed zone.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        DS records included in DNS referral messages can now be validated
+        and cached immediately, reducing the number of queries needed for
+        a DNSSEC validation. [GL #964]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-	  The <span class="command"><strong>allow-update</strong></span> and
-	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
-	  inadvertently treated as configuration errors when used at the
-	  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
-	  This has now been corrected.
-	  [GL #913]
-	</p>
-      </li>
-<li class="listitem">
-        <p>
-	  When <span class="command"><strong>qname-minimization</strong></span> was set to
-          <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
-          would fail to resolve, but would have succeeded when minimization
-          was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
-          resolution in such cases, and also uses type A rather than NS for
-          minimal queries in order to reduce the likelihood of encountering
-          the problem. [GL #1055]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>./configure</strong></span> no longer sets
-	  <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
-	  <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
-	  when <span class="command"><strong>--prefix</strong></span> is not specified and the
-	  aforementioned options are not specified explicitly. Instead,
-	  Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
-	  <span class="command"><strong>$prefix/var</strong></span> are respected.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Glue address records were not being returned in responses
-	  to root priming queries; this has been corrected. [GL #1092]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Cache database statistics counters could report invalid values
-	  when stale answers were enabled, because of a bug in counter
-	  maintenance when cache data becomes stale. The statistics counters
-	  have been corrected to report the number of RRsets for each
-	  RR type that are active, stale but still potentially served,
-	  or stale and marked for deletion. [GL #602]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
-	  cause unexpected results; this has been fixed. [GL #1106]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
-          to ensure bits 64-71 are zero. [GL #1159]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now correctly reports
-	  a missing <span class="command"><strong>dnstap-output</strong></span> option when
-	  <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Handle ETIMEDOUT error on connect() with a non-blocking
-	  socket. [GL #1133]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
-	  when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
-	  that its policies are removed from the RPZ summary database.
-	  [GL #1146]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        The <span class="command"><strong>allow-update</strong></span> and
+        <span class="command"><strong>allow-update-forwarding</strong></span> options were
+        inadvertently treated as configuration errors when used at the
+        <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+        This has now been corrected.
+        [GL #913]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        When <span class="command"><strong>qname-minimization</strong></span> was set to
+        <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+        would fail to resolve, but would have succeeded when minimization
+        was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+        resolution in such cases, and also uses type A rather than NS for
+        minimal queries in order to reduce the likelihood of encountering
+        the problem. [GL #1055]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>./configure</strong></span> no longer sets
+        <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
+        <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
+        when <span class="command"><strong>--prefix</strong></span> is not specified and the
+        aforementioned options are not specified explicitly. Instead,
+        Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
+        <span class="command"><strong>$prefix/var</strong></span> are respected.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Glue address records were not being returned in responses
+        to root priming queries; this has been corrected. [GL #1092]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+        cause unexpected results; this has been fixed. [GL #1106]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+        to ensure bits 64-71 are zero. [GL #1159]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+        <span class="command"><strong>dnstap-output</strong></span> option when
+        <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Handle ETIMEDOUT error on connect() with a non-blocking
+        socket. [GL #1133]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Cache database statistics counters could report invalid values
+        when stale answers were enabled, because of a bug in counter
+        maintenance when cache data becomes stale. The statistics counters
+        have been corrected to report the number of RRsets for each
+        RR type that are active, stale but still potentially served,
+        or stale and marked for deletion. [GL #602]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
+        when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+        that its policies are removed from the RPZ summary database.
+        [GL #1146]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
-    <p>
-      BIND is open source software licensed under the terms of the Mozilla
-      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-      file for the full text).
-    </p>
-    <p>
-      The license requires that if you make changes to BIND and distribute
-      them outside your organization, those changes must be published under
-      the same license. It does not require that you publish or disclose
-      anything other than the changes you have made to our software.  This
-      requirement does not affect anyone who is using BIND, with or without
-      modifications, without redistributing it, nor anyone redistributing
-      BIND without changes.
-    </p>
-    <p>
-      Those wishing to discuss license compliance may contact ISC at
-      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-	https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
+  <p>
+    BIND is open source software licensed under the terms of the Mozilla
+    Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+    file for the full text).
+  </p>
+  <p>
+    The license requires that if you make changes to BIND and distribute
+    them outside your organization, those changes must be published under
+    the same license. It does not require that you publish or disclose
+    anything other than the changes you have made to our software.  This
+    requirement does not affect anyone who is using BIND, with or without
+    modifications, without redistributing it, nor anyone redistributing
+    BIND without changes.
+  </p>
+  <p>
+    Those wishing to discuss license compliance may contact ISC at
+    <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+      https://www.isc.org/mission/contact/</a>.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      BIND 9.15 is an unstable development branch. When its development
-      is complete, it will be renamed to BIND 9.16, which will be a
-      stable branch.
-    </p>
-    <p>
-      The end of life date for BIND 9.16 has not yet been determined.
-      For those needing long term support, the current Extended Support
-      Version (ESV) is BIND 9.11, which will be supported until at
-      least December 2021. See
-      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
-      for details of ISC's software support policy.
-    </p>
-  </div>
-
+  <p>
+    BIND 9.15 is an unstable development branch. When its development
+    is complete, it will be renamed to BIND 9.16, which will be a
+    stable branch.
+  </p>
+  <p>
+    The end of life date for BIND 9.16 has not yet been determined.
+    For those needing long term support, the current Extended Support
+    Version (ESV) is BIND 9.11, which will be supported until at
+    least December 2021. See
+    <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+    for details of ISC's software support policy.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
-    </p>
-  </div>
+  <p>
+    Thank you to everyone who assisted us in making this release possible.
+    If you would like to contribute to ISC to assist us in continuing to
+    make quality open source software, please visit our donations page at
+    <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+  </p>
+</div>
 </div>
     </div>
 <div class="navfooter">
@@ -541,6 +545,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index a3537cef766..251aae8d6fd 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index a49ccc53bbb..392fc0ac866 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 1f99f9d5d02..d8fbfe3a295 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -537,6 +537,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index af5147d95ce..a48773dc954 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index f51222702c4..44dbe57b0fd 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.15.4</p></div>
+<div><p class="releaseinfo">BIND Version 9.15.5</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -245,7 +245,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.15.5</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -443,6 +443,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 66c3639350f..cbca0a56bd2 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index f4c3c81de17..b338b4c0278 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 2604e653035..1566d0a24d4 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 405341cb919..14bb9db815d 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -621,6 +621,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index 5f2bb2956bd..7dd4d0853e8 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1188,6 +1188,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index ab289866ab5..13576db90d1 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 2cdd6eda6ec..7b918884077 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -156,6 +156,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 45f3a3e45a5..718c2c6bd59 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index ad45a53e2f8..183cc725918 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -341,6 +341,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index e153cd5e9a8..a1651b4a428 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index c5290dcdf5c..4071867a8ed 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index d9e0fdb89eb..88124727e8a 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -555,6 +555,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index 4d377c1c2c3..391ef72af0f 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 9ad5e9b2bb1..8174fd8903e 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 38d0a42c00d..66979faeeac 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index f19fa309300..baedb13a367 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -707,6 +707,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index e74dab17920..8cbd293f1bc 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -214,6 +214,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 21a01348d88..a8496e25b38 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html
index 497c62ea351..62e7c6c37c7 100644
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index bd72dc29f57..c7d07101695 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index 670846731b1..15af64a9a1d 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -610,6 +610,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index b70d7efdd4f..6b1dbe4f47e 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -214,6 +214,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 0a50816134f..2b1dfc82fee 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index db62c9a61e6..088a9fbda24 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index 3f03ef211a7..977b700f29c 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 36a0da2fe3f..0abbbc6d6ff 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index c7a3284e45e..1269c37303c 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -1069,6 +1069,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 46d8062c401..c2ff92224d0 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 32d76b35ed0..dc35fe16860 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index ef04d501910..ebe13859dbd 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 04f800af8c1..6c7ae79b8bd 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index 692c032b578..4fa7f31d18f 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index a73d76a0e27..53b984aa314 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index d6eacf6d812..2a93a18b886 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index dd18c7f26f5..115f7270da7 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 2718bc29289..448ba701321 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index fd0135cabe4..563ffc87a0c 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 740e92a162b..5f3fc68fe08 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1017,6 +1017,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.4 (Development Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.15.5 (Development Release)</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 657821f602a..b25e390d1ed 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,472 +15,476 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.15.4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.15.5</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-    <p>
-      BIND 9.15 is an unstable development release of BIND.
-      This document summarizes new features and functional changes that
-      have been introduced on this branch.  With each development release
-      leading up to the stable BIND 9.16 release, this document will be
-      updated with additional features added and bugs fixed.
-    </p>
-  </div>
-
+  <p>
+    BIND 9.15 is an unstable development release of BIND.
+    This document summarizes new features and functional changes that
+    have been introduced on this branch.  With each development release
+    leading up to the stable BIND 9.16 release, this document will be
+    updated with additional features added and bugs fixed.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
-    <p>
-      Until BIND 9.12, new feature development releases were tagged
-      as "alpha" and "beta", leading up to the first stable release
-      for a given development branch, which always ended in ".0".
-      More recently, BIND adopted the "odd-unstable/even-stable"
-      release numbering convention. There will be no "alpha" or "beta"
-      releases in the 9.15 branch, only increasing version numbers.
-      So, for example, what would previously have been called 9.15.0a1,
-      9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
-      9.15.1, 9.15.2, etc.
-    </p>
-    <p>
-      The first stable release from this development branch will be
-      renamed as 9.16.0. Thereafter, maintenance releases will continue
-      on the 9.16 branch, while unstable feature development proceeds in
-      9.17.
-    </p>
-  </div>
-
+  <p>
+    Until BIND 9.12, new feature development releases were tagged
+    as "alpha" and "beta", leading up to the first stable release
+    for a given development branch, which always ended in ".0".
+    More recently, BIND adopted the "odd-unstable/even-stable"
+    release numbering convention. There will be no "alpha" or "beta"
+    releases in the 9.15 branch, only increasing version numbers.
+    So, for example, what would previously have been called 9.15.0a1,
+    9.15.0a2, 9.15.0b1, and so on, will instead be called 9.15.0,
+    9.15.1, 9.15.2, etc.
+  </p>
+  <p>
+    The first stable release from this development branch will be
+    renamed as 9.16.0. Thereafter, maintenance releases will continue
+    on the 9.16 branch, while unstable feature development proceeds in
+    9.17.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
-    <p>
-      To build on UNIX-like systems, BIND requires support for POSIX.1c
-      threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
-      IPv6 (RFC 3542), and standard atomic operations provided by the
-      C compiler.
-    </p>
-    <p>
-      The OpenSSL cryptography library must be available for the target
-      platform.  A PKCS#11 provider can be used instead for Public Key
-      cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-      still required for general cryptography operations such as hashing
-      and random number generation.
-    </p>
-    <p>
-      More information can be found in the <code class="filename">PLATFORMS.md</code>
-      file that is included in the source distribution of BIND 9.  If your
-      compiler and system libraries provide the above features, BIND 9
-      should compile and run. If that isn't the case, the BIND
-      development team will generally accept patches that add support
-      for systems that are still supported by their respective vendors.
-    </p>
-  </div>
-
+  <p>
+    To build on UNIX-like systems, BIND requires support for POSIX.1c
+    threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+    IPv6 (RFC 3542), and standard atomic operations provided by the
+    C compiler.
+  </p>
+  <p>
+    The OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead for Public Key
+    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+    still required for general cryptography operations such as hashing
+    and random number generation.
+  </p>
+  <p>
+    More information can be found in the <code class="filename">PLATFORMS.md</code>
+    file that is included in the source distribution of BIND 9.  If your
+    compiler and system libraries provide the above features, BIND 9
+    should compile and run. If that isn't the case, the BIND
+    development team will generally accept patches that add support
+    for systems that are still supported by their respective vendors.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-    <p>
-      The latest versions of BIND 9 software can always be found at
-      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    </p>
-  </div>
-
+  <p>
+    The latest versions of BIND 9 software can always be found at
+    <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+    There you will find additional information about each release,
+    source code, and pre-compiled versions for Microsoft Windows
+    operating systems.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
-	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
-	  was in use and a redirected query resulted in an NXDOMAIN from the
-	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
-	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. This flaw is disclosed in
-	  CVE-2018-5743. [GL #615]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A race condition could trigger an assertion failure when
-	  a large number of incoming packets were being rejected.
-	  This flaw is disclosed in CVE-2019-6471. [GL #942]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+        option could be exceeded in some cases. This could lead to
+        exhaustion of file descriptors. This flaw is disclosed in
+        CVE-2018-5743. [GL #615]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        In certain configurations, <span class="command"><strong>named</strong></span> could crash
+        with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+        was in use and a redirected query resulted in an NXDOMAIN from the
+        cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        A race condition could trigger an assertion failure when
+        a large number of incoming packets were being rejected.
+        This flaw is disclosed in CVE-2019-6471. [GL #942]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	<span class="command"><strong>named</strong></span> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1501]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #16P]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-          Added a new command line option to <span class="command"><strong>dig</strong></span>:
-	  <span style="color: red">&lt;comand&gt;+[no]unexpected&lt;/comand&gt;</span>. By default, <span class="command"><strong>dig</strong></span>
-	  won't accept a reply from a source other than the one to which
-	  it sent the query.  Add the <span class="command"><strong>+unexpected</strong></span> argument
-	  to enable it to process replies from unexpected sources.
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  The GeoIP2 API from MaxMind is now supported. Geolocation support
-	  will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
-	  library is found at compile time, but can be turned off by using
-	  <span class="command"><strong>configure --disable-geoip</strong></span>.
-	</p>
-	<p>
-	  The default path to the GeoIP2 databases will be set based
-	  on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
-	  for example, if it is in <code class="filename">/usr/local/lib</code>,
-	  then the default path will be
-	  <code class="filename">/usr/local/share/GeoIP</code>.
-	  This value can be overridden in <code class="filename">named.conf</code>
-	  using the <span class="command"><strong>geoip-directory</strong></span> option.
-	</p>
-	<p>
-	  Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
-	  legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
-	  <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
-	  no longer work when using GeoIP2. Supported GeoIP2 database
-	  types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
-	  <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
-	  <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
-	  and IPv6 lookups. [GL #182] [GL #1112]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  In order to clarify the configuration of DNSSEC keys,
-	  the <span class="command"><strong>trusted-keys</strong></span> and
-	  <span class="command"><strong>managed-keys</strong></span> statements have been
-	  deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
-	  statement should now be used for both types of key.
-	</p>
-	<p>
-	  When used with the keyword <span class="command"><strong>initial-key</strong></span>,
-	  <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
-	  <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
-	  a trust anchor that is to be maintained via RFC 5011.
-	</p>
-	<p>
-	  When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
-	  has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
-	  configuring a permanent trust anchor that will not automatically
-	  be updated.  (This usage is not recommended for the root key.)
-	  [GL #6]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new <span class="command"><strong>add-soa</strong></span> option specifies whether
-	  or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
-	  should be included in the additional section of RPZ responses.
-	  [GL #865]
-        </p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new metrics have been added to the
-	  <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
-	  signing operations.  For each key in each zone, the
-	  <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
-	  number of signatures <span class="command"><strong>named</strong></span> has generated
-	  using that key since server startup, and the
-	  <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
-	  many of those signatures were refreshed during zone
-	  maintenance, as opposed to having been generated
-	  as a result of a zone update.  [GL #513]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Statistics channel groups are now toggleable. [GL #1030]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
-	  <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
-	  option to print output in a a detailed YAML format. [RT #1145]
-        </p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        Added a new command line option to <span class="command"><strong>dig</strong></span>:
+        <span class="command"><strong>+[no]unexpected</strong></span>. By default, <span class="command"><strong>dig</strong></span>
+        won't accept a reply from a source other than the one to which
+        it sent the query.  Add the <span class="command"><strong>+unexpected</strong></span> argument
+        to enable it to process replies from unexpected sources.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The GeoIP2 API from MaxMind is now supported. Geolocation support
+        will be compiled in by default if the <span class="command"><strong>libmaxminddb</strong></span>
+        library is found at compile time, but can be turned off by using
+        <span class="command"><strong>configure --disable-geoip</strong></span>.
+      </p>
+      <p>
+        The default path to the GeoIP2 databases will be set based
+        on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+        for example, if it is in <code class="filename">/usr/local/lib</code>,
+        then the default path will be
+        <code class="filename">/usr/local/share/GeoIP</code>.
+        This value can be overridden in <code class="filename">named.conf</code>
+        using the <span class="command"><strong>geoip-directory</strong></span> option.
+      </p>
+      <p>
+        Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+        legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+        <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+        no longer work when using GeoIP2. Supported GeoIP2 database
+        types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+        <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+        <span class="command"><strong>as</strong></span>. All of these databases support both IPv4
+        and IPv6 lookups. [GL #182] [GL #1112]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        In order to clarify the configuration of DNSSEC keys,
+        the <span class="command"><strong>trusted-keys</strong></span> and
+        <span class="command"><strong>managed-keys</strong></span> statements have been
+        deprecated, and the new <span class="command"><strong>dnssec-keys</strong></span>
+        statement should now be used for both types of key.
+      </p>
+      <p>
+        When used with the keyword <span class="command"><strong>initial-key</strong></span>,
+        <span class="command"><strong>dnssec-keys</strong></span> has the same behavior as
+        <span class="command"><strong>managed-keys</strong></span>, i.e., it configures
+        a trust anchor that is to be maintained via RFC 5011.
+      </p>
+      <p>
+        When used with the new keyword <span class="command"><strong>static-key</strong></span>, it
+        has the same behavior as <span class="command"><strong>trusted-keys</strong></span>,
+        configuring a permanent trust anchor that will not automatically
+        be updated.  (This usage is not recommended for the root key.)
+        [GL #6]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The new <span class="command"><strong>add-soa</strong></span> option specifies whether
+        or not the <span class="command"><strong>response-policy</strong></span> zone's SOA record
+        should be included in the additional section of RPZ responses.
+        [GL #865]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Two new metrics have been added to the
+        <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+        signing operations.  For each key in each zone, the
+        <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+        number of signatures <span class="command"><strong>named</strong></span> has generated
+        using that key since server startup, and the
+        <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+        many of those signatures were refreshed during zone
+        maintenance, as opposed to having been generated
+        as a result of a zone update.  [GL #513]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Statistics channel groups are now toggleable. [GL #1030]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>dig</strong></span>, <span class="command"><strong>mdig</strong></span> and
+        <span class="command"><strong>delv</strong></span> can all now take a <span class="command"><strong>+yaml</strong></span>
+        option to print output in a a detailed YAML format. [RT #1145]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_removed"></a>Removed Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
-	  no longer has any effect. DNSSEC responses are always enabled
-	  if signatures and other DNSSEC data are present. [GL #866]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>cleaning-interval</strong></span> option has been
-	  removed.  [GL !1731]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  DNSSEC Lookaside Validation (DLV) is now obsolete.
-	  The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
-	  marked as deprecated; when used in <code class="filename">named.conf</code>,
-	  it will generate a warning but will otherwise be ignored.
-	  All code enabling the use of lookaside validation has been removed
-	  from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
-	  [GL #7]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        The <span class="command"><strong>dnssec-enable</strong></span> option has been obsoleted and
+        no longer has any effect. DNSSEC responses are always enabled
+        if signatures and other DNSSEC data are present. [GL #866]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The <span class="command"><strong>cleaning-interval</strong></span> option has been
+        removed.  [GL !1731]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        DNSSEC Lookaside Validation (DLV) is now obsolete.
+        The <span class="command"><strong>dnssec-lookaside</strong></span> option has been
+        marked as deprecated; when used in <code class="filename">named.conf</code>,
+        it will generate a warning but will otherwise be ignored.
+        All code enabling the use of lookaside validation has been removed
+        from the validator, <span class="command"><strong>delv</strong></span>, and the DNSSEC tools.
+        [GL #7]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
- 	<p>
- 	  <span class="command"><strong>named</strong></span> will now log a warning if
-	  a static key is configured for the root zone. [GL #6]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When static and managed DNSSEC keys were both configured for the
-	  same name, or when a static key was used to
-	  configure a trust anchor for the root zone and
-	  <span class="command"><strong>dnssec-validation</strong></span> was set to the default
-	  value of <code class="literal">auto</code>, automatic RFC 5011 key
-	  rollovers would be disabled. This combination of settings was
-	  never intended to work, but there was no check for it in the
-	  parser. This has been corrected, and it is now a fatal
-	  configuration error. [GL #868]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  DS and CDS records are now generated with SHA-256 digests
-	  only, instead of both SHA-1 and SHA-256. This affects the
-	  default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
-	  <code class="filename">dsset</code> files generated by
-	  <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
-	  a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
-	  <code class="filename">keyset</code> files, the CDS records added to
-	  a zone by <span class="command"><strong>named</strong></span> and
-	  <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
-	  parameters in key files, and the checks performed by
-	  <span class="command"><strong>dnssec-checkds</strong></span>.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  JSON-C is now the only supported library for enabling JSON
-	  support for BIND statistics. The <span class="command"><strong>configure</strong></span>
-	  option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
-	  to <span class="command"><strong>--with-json-c</strong></span>.  Use
-	  <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
-	  the <span class="command"><strong>json-c</strong></span> library as the new
-	  <span class="command"><strong>configure</strong></span> option does not take the library
-	  installation path as an optional argument.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
-	  made default.  Old non-default HMAC-SHA based DNS Cookie algorithms
-	  have been removed, and only the default AES algorithm is being kept
-	  for legacy reasons.  This change doesn't have any operational impact
-	  in most common scenarios. [GL #605]
-	</p>
-	<p>
-	  If you are running multiple DNS Servers (different versions of BIND 9
-	  or DNS server from multiple vendors) responding from the same IP
-	  address (anycast or load-balancing scenarios), you'll have to make
-	  sure that all the servers are configured with the same DNS Cookie
-	  algorithm and same Server Secret for the best performance.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
-	  <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
-	  output.  The standard error output is only used to print warnings and
-	  errors, and in case the user requests the signed zone to be printed to
-	  standard output with <span class="command"><strong>-f -</strong></span> option.  A new
-	  configuration option <span class="command"><strong>-q</strong></span> has been added to silence
-	  all output on standard output except for the name of the signed zone.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  DS records included in DNS referral messages can now be validated
-	  and cached immediately, reducing the number of queries needed for
-	  a DNSSEC validation. [GL #964]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        <span class="command"><strong>named</strong></span> will now log a warning if
+        a static key is configured for the root zone. [GL #6]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        When static and managed DNSSEC keys were both configured for the
+        same name, or when a static key was used to
+        configure a trust anchor for the root zone and
+        <span class="command"><strong>dnssec-validation</strong></span> was set to the default
+        value of <code class="literal">auto</code>, automatic RFC 5011 key
+        rollovers would be disabled. This combination of settings was
+        never intended to work, but there was no check for it in the
+        parser. This has been corrected, and it is now a fatal
+        configuration error. [GL #868]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        DS and CDS records are now generated with SHA-256 digests
+        only, instead of both SHA-1 and SHA-256. This affects the
+        default output of <span class="command"><strong>dnssec-dsfromkey</strong></span>, the
+        <code class="filename">dsset</code> files generated by
+        <span class="command"><strong>dnssec-signzone</strong></span>, the DS records added to
+        a zone by <span class="command"><strong>dnssec-signzone</strong></span> based on
+        <code class="filename">keyset</code> files, the CDS records added to
+        a zone by <span class="command"><strong>named</strong></span> and
+        <span class="command"><strong>dnssec-signzone</strong></span> based on "sync" timing
+        parameters in key files, and the checks performed by
+        <span class="command"><strong>dnssec-checkds</strong></span>.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        JSON-C is now the only supported library for enabling JSON
+        support for BIND statistics. The <span class="command"><strong>configure</strong></span>
+        option has been renamed from <span class="command"><strong>--with-libjson</strong></span>
+        to <span class="command"><strong>--with-json-c</strong></span>.  Use
+        <span class="command"><strong>PKG_CONFIG_PATH</strong></span> to specify a custom path to
+        the <span class="command"><strong>json-c</strong></span> library as the new
+        <span class="command"><strong>configure</strong></span> option does not take the library
+        installation path as an optional argument.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added and
+        made default.  Old non-default HMAC-SHA based DNS Cookie algorithms
+        have been removed, and only the default AES algorithm is being kept
+        for legacy reasons.  This change doesn't have any operational impact
+        in most common scenarios. [GL #605]
+      </p>
+      <p>
+        If you are running multiple DNS Servers (different versions of BIND 9
+        or DNS server from multiple vendors) responding from the same IP
+        address (anycast or load-balancing scenarios), you'll have to make
+        sure that all the servers are configured with the same DNS Cookie
+        algorithm and same Server Secret for the best performance.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        The information from the <span class="command"><strong>dnssec-signzone</strong></span> and
+        <span class="command"><strong>dnssec-verify</strong></span> commands is now printed to standard
+        output.  The standard error output is only used to print warnings and
+        errors, and in case the user requests the signed zone to be printed to
+        standard output with <span class="command"><strong>-f -</strong></span> option.  A new
+        configuration option <span class="command"><strong>-q</strong></span> has been added to silence
+        all output on standard output except for the name of the signed zone.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        DS records included in DNS referral messages can now be validated
+        and cached immediately, reducing the number of queries needed for
+        a DNSSEC validation. [GL #964]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-        <p>
-	  The <span class="command"><strong>allow-update</strong></span> and
-	  <span class="command"><strong>allow-update-forwarding</strong></span> options were
-	  inadvertently treated as configuration errors when used at the
-	  <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
-	  This has now been corrected.
-	  [GL #913]
-	</p>
-      </li>
-<li class="listitem">
-        <p>
-	  When <span class="command"><strong>qname-minimization</strong></span> was set to
-          <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
-          would fail to resolve, but would have succeeded when minimization
-          was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
-          resolution in such cases, and also uses type A rather than NS for
-          minimal queries in order to reduce the likelihood of encountering
-          the problem. [GL #1055]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>./configure</strong></span> no longer sets
-	  <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
-	  <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
-	  when <span class="command"><strong>--prefix</strong></span> is not specified and the
-	  aforementioned options are not specified explicitly. Instead,
-	  Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
-	  <span class="command"><strong>$prefix/var</strong></span> are respected.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Glue address records were not being returned in responses
-	  to root priming queries; this has been corrected. [GL #1092]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Cache database statistics counters could report invalid values
-	  when stale answers were enabled, because of a bug in counter
-	  maintenance when cache data becomes stale. The statistics counters
-	  have been corrected to report the number of RRsets for each
-	  RR type that are active, stale but still potentially served,
-	  or stale and marked for deletion. [GL #602]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
-	  cause unexpected results; this has been fixed. [GL #1106]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
-          to ensure bits 64-71 are zero. [GL #1159]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now correctly reports
-	  a missing <span class="command"><strong>dnstap-output</strong></span> option when
-	  <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Handle ETIMEDOUT error on connect() with a non-blocking
-	  socket. [GL #1133]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
-	  when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
-	  that its policies are removed from the RPZ summary database.
-	  [GL #1146]
-	</p>
-      </li>
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        The <span class="command"><strong>allow-update</strong></span> and
+        <span class="command"><strong>allow-update-forwarding</strong></span> options were
+        inadvertently treated as configuration errors when used at the
+        <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> level.
+        This has now been corrected.
+        [GL #913]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        When <span class="command"><strong>qname-minimization</strong></span> was set to
+        <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+        would fail to resolve, but would have succeeded when minimization
+        was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+        resolution in such cases, and also uses type A rather than NS for
+        minimal queries in order to reduce the likelihood of encountering
+        the problem. [GL #1055]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>./configure</strong></span> no longer sets
+        <span class="command"><strong>--sysconfdir</strong></span> to <span class="command"><strong>/etc</strong></span> or
+        <span class="command"><strong>--localstatedir</strong></span> to <span class="command"><strong>/var</strong></span>
+        when <span class="command"><strong>--prefix</strong></span> is not specified and the
+        aforementioned options are not specified explicitly. Instead,
+        Autoconf's defaults of <span class="command"><strong>$prefix/etc</strong></span> and
+        <span class="command"><strong>$prefix/var</strong></span> are respected.
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Glue address records were not being returned in responses
+        to root priming queries; this has been corrected. [GL #1092]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+        cause unexpected results; this has been fixed. [GL #1106]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+        to ensure bits 64-71 are zero. [GL #1159]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+        <span class="command"><strong>dnstap-output</strong></span> option when
+        <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Handle ETIMEDOUT error on connect() with a non-blocking
+        socket. [GL #1133]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        Cache database statistics counters could report invalid values
+        when stale answers were enabled, because of a bug in counter
+        maintenance when cache data becomes stale. The statistics counters
+        have been corrected to report the number of RRsets for each
+        RR type that are active, stale but still potentially served,
+        or stale and marked for deletion. [GL #602]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        <span class="command"><strong>dig</strong></span> now correctly expands the IPv6 address
+        when run with <span class="command"><strong>+expandaaaa +short</strong></span>. [GL #1152]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+        When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+        that its policies are removed from the RPZ summary database.
+        [GL #1146]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
-    <p>
-      BIND is open source software licensed under the terms of the Mozilla
-      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-      file for the full text).
-    </p>
-    <p>
-      The license requires that if you make changes to BIND and distribute
-      them outside your organization, those changes must be published under
-      the same license. It does not require that you publish or disclose
-      anything other than the changes you have made to our software.  This
-      requirement does not affect anyone who is using BIND, with or without
-      modifications, without redistributing it, nor anyone redistributing
-      BIND without changes.
-    </p>
-    <p>
-      Those wishing to discuss license compliance may contact ISC at
-      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-	https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
+  <p>
+    BIND is open source software licensed under the terms of the Mozilla
+    Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+    file for the full text).
+  </p>
+  <p>
+    The license requires that if you make changes to BIND and distribute
+    them outside your organization, those changes must be published under
+    the same license. It does not require that you publish or disclose
+    anything other than the changes you have made to our software.  This
+    requirement does not affect anyone who is using BIND, with or without
+    modifications, without redistributing it, nor anyone redistributing
+    BIND without changes.
+  </p>
+  <p>
+    Those wishing to discuss license compliance may contact ISC at
+    <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+      https://www.isc.org/mission/contact/</a>.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      BIND 9.15 is an unstable development branch. When its development
-      is complete, it will be renamed to BIND 9.16, which will be a
-      stable branch.
-    </p>
-    <p>
-      The end of life date for BIND 9.16 has not yet been determined.
-      For those needing long term support, the current Extended Support
-      Version (ESV) is BIND 9.11, which will be supported until at
-      least December 2021. See
-      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
-      for details of ISC's software support policy.
-    </p>
-  </div>
-
+  <p>
+    BIND 9.15 is an unstable development branch. When its development
+    is complete, it will be renamed to BIND 9.16, which will be a
+    stable branch.
+  </p>
+  <p>
+    The end of life date for BIND 9.16 has not yet been determined.
+    For those needing long term support, the current Extended Support
+    Version (ESV) is BIND 9.11, which will be supported until at
+    least December 2021. See
+    <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+    for details of ISC's software support policy.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
-    </p>
-  </div>
+  <p>
+    Thank you to everyone who assisted us in making this release possible.
+    If you would like to contribute to ISC to assist us in continuing to
+    make quality open source software, please visit our donations page at
+    <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+  </p>
+</div>
 </div>
 </div></body>
 </html>
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index d6d1fc3327d..5a6ba162ec5 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 81fd3256933..3f1e03a787f 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.15.4
+Release Notes for BIND Version 9.15.5
 
 Introduction
 
@@ -50,25 +50,33 @@ operating systems.
 
 Security Fixes
 
+  * The TCP client quota set using the tcp-clients option could be
+    exceeded in some cases. This could lead to exhaustion of file
+    descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
+
   * In certain configurations, named could crash with an assertion failure
     if nxdomain-redirect was in use and a redirected query resulted in an
     NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
     #880]
 
-  * The TCP client quota set using the tcp-clients option could be
-    exceeded in some cases. This could lead to exhaustion of file
-    descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
-
   * A race condition could trigger an assertion failure when a large
     number of incoming packets were being rejected. This flaw is disclosed
     in CVE-2019-6471. [GL #942]
 
+  * named could crash with an assertion failure if a forwarder returned a
+    referral, rather than resolving the query, when QNAME minimization was
+    enabled. This flaw is disclosed in CVE-2019-6476. [GL #1501]
+
+  * A flaw in DNSSEC verification when transferring mirror zones could
+    allow data to be incorrectly marked valid. This flaw is disclosed in
+    CVE-2019-6475. [GL #16P]
+
 New Features
 
-  * Added a new command line option to dig: <comand>+[no]unexpected</
-    comand>. By default, dig won't accept a reply from a source other than
-    the one to which it sent the query. Add the +unexpected argument to
-    enable it to process replies from unexpected sources.
+  * Added a new command line option to dig: +[no]unexpected. By default,
+    dig won't accept a reply from a source other than the one to which it
+    sent the query. Add the +unexpected argument to enable it to process
+    replies from unexpected sources.
 
   * The GeoIP2 API from MaxMind is now supported. Geolocation support will
     be compiled in by default if the libmaxminddb library is found at
@@ -202,13 +210,6 @@ Bug Fixes
   * Glue address records were not being returned in responses to root
     priming queries; this has been corrected. [GL #1092]
 
-  * Cache database statistics counters could report invalid values when
-    stale answers were enabled, because of a bug in counter maintenance
-    when cache data becomes stale. The statistics counters have been
-    corrected to report the number of RRsets for each RR type that are
-    active, stale but still potentially served, or stale and marked for
-    deletion. [GL #602]
-
   * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
     unexpected results; this has been fixed. [GL #1106]
 
@@ -221,6 +222,13 @@ Bug Fixes
   * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
     1133]
 
+  * Cache database statistics counters could report invalid values when
+    stale answers were enabled, because of a bug in counter maintenance
+    when cache data becomes stale. The statistics counters have been
+    corrected to report the number of RRsets for each RR type that are
+    active, stale but still potentially served, or stale and marked for
+    deletion. [GL #602]
+
   * dig now correctly expands the IPv6 address when run with +expandaaaa
     +short. [GL #1152]
 
diff --git a/lib/dns/api b/lib/dns/api
index ceb49d16753..faf692f58da 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1503
+LIBINTERFACE = 1504
 LIBREVISION = 0
-LIBAGE = 0
+LIBAGE = 1
diff --git a/lib/irs/api b/lib/irs/api
index c72183594a2..c65b577dfa4 100644
--- a/lib/irs/api
+++ b/lib/irs/api
@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index d1ed585b1a4..ceb49d16753 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -10,6 +10,6 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
-LIBINTERFACE = 1502
-LIBREVISION = 1
+LIBINTERFACE = 1503
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index c72183594a2..c65b577dfa4 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/lib/ns/api b/lib/ns/api
index c72183594a2..c65b577dfa4 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -11,5 +11,5 @@
 # 9.13/9.14: 1300-1499
 # 9.15/9.16: 1500-1699
 LIBINTERFACE = 1501
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/version b/version
index 8fc4f425784..f125284d8a5 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Development Release)"
 MAJORVER=9
 MINORVER=15
-PATCHVER=4
+PATCHVER=5
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=