From: Tinderbox User <tbox@isc.org>
Date: Wed, 2 Oct 2019 06:16:15 +0000 (+0000)
Subject: prep 9.14.7
X-Git-Tag: v9.14.7^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ee12e5337188c05e29b63160eac6e287e3e089f;p=thirdparty%2Fbind9.git

prep 9.14.7
---

diff --git a/CHANGES b/CHANGES
index 12a1d8a54e8..0f44aa66329 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+	--- 9.14.7 released ---
+
 5299.	[security]	A flaw in DNSSEC verification when transferring
 			mirror zones could allow data to be incorrectly
 			marked valid. (CVE-2019-6475) [GL #16P]
diff --git a/README b/README
index c6bc268fa7b..fd24d3db242 100644
--- a/README
+++ b/README
@@ -175,6 +175,11 @@ BIND 9.14.6
 
 BIND 9.14.6 is a maintenance release.
 
+BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+
 Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
@@ -423,7 +428,9 @@ Acknowledgments
 
   * This product includes software developed by the OpenSSL Project for
     use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+
   * This product includes cryptographic software written by Eric Young
     (eay@cryptsoft.com)
+
   * This product includes software written by Tim Hudson
     (tjh@cryptsoft.com)
diff --git a/README.md b/README.md
index b6283858a86..99d7f0bfd8b 100644
--- a/README.md
+++ b/README.md
@@ -191,6 +191,11 @@ BIND 9.14.5 is a maintenance release.
 
 BIND 9.14.6 is a maintenance release.
 
+#### BIND 9.14.7
+
+BIND 9.14.7 is a maintenance release, and also addresses the security
+vulnerabilities disclosed in CVE-2019-6475 and CVE-2019-6476.
+
 ### <a name="build"/> Building BIND
 
 Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 2daea6e7a24..5d6fa1b8da4 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index f90a1acccfd..1b8f956d43c 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index a2cc0d67962..bdcf94d8e50 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -856,6 +856,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 6ae75479d53..c2a600aaaae 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2863,6 +2863,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 08ab29b757f..bacf9087ab6 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -14897,6 +14897,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index c80cbc680f0..b35d11fb5a5 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -362,6 +362,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 56e724e7559..48b233c9752 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -191,6 +191,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index ee849e25444..3317e9c4c42 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.7</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -53,286 +53,292 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.6</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.14.7</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-    <p>
-      BIND 9.14 is a stable branch of BIND.
-      This document summarizes significant changes since the last
-      production release on that branch.
-    </p>
-<p>
-    </p>
-<p>
-      Please see the file <code class="filename">CHANGES</code> for a more
-      detailed list of changes and bug fixes.
-    </p>
-  </div>
-
+  <p>
+    BIND 9.14 is a stable branch of BIND.
+    This document summarizes significant changes since the last
+    production release on that branch.
+  </p>
+  <p>
+    Please see the file <code class="filename">CHANGES</code> for a more
+    detailed list of changes and bug fixes.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
-    <p>
-      As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
-      release numbering convention.  BIND 9.14 contains new features added
-      during the BIND 9.13 development process. Henceforth, the 9.14 branch
-      will be limited to bug fixes and new feature development will proceed
-      in the unstable 9.15 branch, and so forth.
-    </p>
-  </div>
-
+  <p>
+    As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+    release numbering convention.  BIND 9.14 contains new features added
+    during the BIND 9.13 development process. Henceforth, the 9.14 branch
+    will be limited to bug fixes and new feature development will proceed
+    in the unstable 9.15 branch, and so forth.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
-    <p>
-      Since 9.12, BIND has undergone substantial code refactoring and
-      cleanup, and some very old code has been removed that supported
-      obsolete operating systems and operating systems for which ISC is
-      no longer able to perform quality assurance testing. Specifically,
-      workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
-      and IRIX have been removed.
-    </p>
-    <p>
-      On UNIX-like systems, BIND now requires support for POSIX.1c
-      threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
-      IPv6 (RFC 3542), and standard atomic operations provided by the
-      C compiler.
-    </p>
-    <p>
-      More information can be found in the <code class="filename">PLATFORM.md</code>
-      file that is included in the source distribution of BIND 9.  If your
-      platform compiler and system libraries provide the above features,
-      BIND 9 should compile and run. If that isn't the case, the BIND
-      development team will generally accept patches that add support
-      for systems that are still supported by their respective vendors.
-    </p>
-    <p>
-      As of BIND 9.14, the BIND development team has also made cryptography
-      (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
-      OpenSSL cryptography library must be available for the target
-      platform.  A PKCS#11 provider can be used instead for Public Key
-      cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-      still required for general cryptography operations such as hashing
-      and random number generation.
-    </p>
-  </div>
-
+  <p>
+    Since 9.12, BIND has undergone substantial code refactoring and
+    cleanup, and some very old code has been removed that supported
+    obsolete operating systems and operating systems for which ISC is
+    no longer able to perform quality assurance testing. Specifically,
+    workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
+    and IRIX have been removed.
+  </p>
+  <p>
+    On UNIX-like systems, BIND now requires support for POSIX.1c
+    threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+    IPv6 (RFC 3542), and standard atomic operations provided by the
+    C compiler.
+  </p>
+  <p>
+    More information can be found in the <code class="filename">PLATFORM.md</code>
+    file that is included in the source distribution of BIND 9.  If your
+    platform compiler and system libraries provide the above features,
+    BIND 9 should compile and run. If that isn't the case, the BIND
+    development team will generally accept patches that add support
+    for systems that are still supported by their respective vendors.
+  </p>
+  <p>
+    As of BIND 9.14, the BIND development team has also made cryptography
+    (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
+    OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead for Public Key
+    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+    still required for general cryptography operations such as hashing
+    and random number generation.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-    <p>
-      The latest versions of BIND 9 software can always be found at
-      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    </p>
-  </div>
-
+  <p>
+    The latest versions of BIND 9 software can always be found at
+    <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+    There you will find additional information about each release,
+    source code, and pre-compiled versions for Microsoft Windows
+    operating systems.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  A race condition could trigger an assertion failure when
-	  a large number of incoming packets were being rejected.
-	  This flaw is disclosed in CVE-2019-6471. [GL #942]
-	</p>
-      </li></ul></div>
-  </div>
-
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        A race condition could trigger an assertion failure when
+        a large number of incoming packets were being rejected.
+        This flaw is disclosed in CVE-2019-6471. [GL #942]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	<span class="command"><strong>named</strong></span> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1501]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #16P]
+      </p>
+    </li>
+</ul></div>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-	<p>
-	  The new GeoIP2 API from MaxMind is now supported when BIND
-	  is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
-	  The legacy GeoIP API can be used by compiling with
-	  <span class="command"><strong>configure --with-geoip</strong></span> instead.  (Note that
-	  the databases for the legacy API are no longer maintained by
-	  MaxMind.)
-	</p>
-	<p>
-	  The default path to the GeoIP2 databases will be set based
-	  on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
-	  for example, if it is in <code class="filename">/usr/local/lib</code>,
-	  then the default path will be
-	  <code class="filename">/usr/local/share/GeoIP</code>.
-	  This value can be overridden in <code class="filename">named.conf</code>
-	  using the <span class="command"><strong>geoip-directory</strong></span> option.
-	</p>
-	<p>
-	  Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
-	  legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
-	  <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
-	  no longer work when using GeoIP2. Supported GeoIP2 database
-	  types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
-	  <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
-	  <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
-	  and IPv6 lookups. [GL #182]
-	</p>
-      </li>
+      <p>
+        The new GeoIP2 API from MaxMind is now supported when BIND
+        is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
+        The legacy GeoIP API can be used by compiling with
+        <span class="command"><strong>configure --with-geoip</strong></span> instead.  (Note that
+        the databases for the legacy API are no longer maintained by
+        MaxMind.)
+      </p>
+      <p>
+        The default path to the GeoIP2 databases will be set based
+        on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+        for example, if it is in <code class="filename">/usr/local/lib</code>,
+        then the default path will be
+        <code class="filename">/usr/local/share/GeoIP</code>.
+        This value can be overridden in <code class="filename">named.conf</code>
+        using the <span class="command"><strong>geoip-directory</strong></span> option.
+      </p>
+      <p>
+        Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+        legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+        <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+        no longer work when using GeoIP2. Supported GeoIP2 database
+        types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+        <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+        <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
+        and IPv6 lookups. [GL #182]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Two new metrics have been added to the
-	  <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
-	  signing operations.  For each key in each zone, the
-	  <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
-	  number of signatures <span class="command"><strong>named</strong></span> has generated
-	  using that key since server startup, and the
-	  <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
-	  many of those signatures were refreshed during zone
-	  maintenance, as opposed to having been generated
-	  as a result of a zone update.  [GL #513]
-	</p>
-      </li>
+      <p>
+        Two new metrics have been added to the
+        <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+        signing operations.  For each key in each zone, the
+        <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+        number of signatures <span class="command"><strong>named</strong></span> has generated
+        using that key since server startup, and the
+        <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+        many of those signatures were refreshed during zone
+        maintenance, as opposed to having been generated
+        as a result of a zone update.  [GL #513]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
-	  [GL #605]
-	</p>
-	<p>
-	  If you are running multiple DNS Servers (different versions of BIND 9
-	  or DNS server from multiple vendors) responding from the same IP
-	  address (anycast or load-balancing scenarios), you'll have to make
-	  sure that all the servers are configured with the same DNS Cookie
-	  algorithm and same Server Secret for the best performance.
-	</p>
-      </li>
+      <p>
+        A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+        [GL #605]
+      </p>
+      <p>
+        If you are running multiple DNS Servers (different versions of BIND 9
+        or DNS server from multiple vendors) responding from the same IP
+        address (anycast or load-balancing scenarios), you'll have to make
+        sure that all the servers are configured with the same DNS Cookie
+        algorithm and same Server Secret for the best performance.
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  DS records included in DNS referral messages can now be validated
-	  and cached immediately, reducing the number of queries needed for
-	  a DNSSEC validation. [GL #964]
-	</p>
-      </li>
+      <p>
+        DS records included in DNS referral messages can now be validated
+        and cached immediately, reducing the number of queries needed for
+        a DNSSEC validation. [GL #964]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
-	  When <span class="command"><strong>qname-minimization</strong></span> was set to
-	  <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
-	  would fail to resolve, but would have succeeded if minimization
-	  were disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
-	  resolution in such cases, and also uses type A rather than NS for
-	  minimal queries in order to reduce the likelihood of encountering
-	  the problem. [GL #1055]
-	</p>
-      </li>
+      <p>
+        When <span class="command"><strong>qname-minimization</strong></span> was set to
+        <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+        would fail to resolve, but would have succeeded when minimization
+        was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+        resolution in such cases, and also uses type A rather than NS for
+        minimal queries in order to reduce the likelihood of encountering
+        the problem. [GL #1055]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Glue address records were not being returned in responses
-	  to root priming queries; this has been corrected. [GL #1092]
-	</p>
-      </li>
+      <p>
+        Glue address records were not being returned in responses
+        to root priming queries; this has been corrected. [GL #1092]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Cache database statistics counters could report invalid values
-	  when stale answers were enabled, because of a bug in counter
-	  maintenance when cache data becomes stale. The statistics counters
-	  have been corrected to report the number of RRsets for each
-	  RR type that are active, stale but still potentially served,
-	  or stale and marked for deletion. [GL #602]
-	</p>
-      </li>
+      <p>
+        Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+        cause unexpected results; this has been fixed. [GL #1106]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
-	  cause unexpected results; this has been fixed. [GL #1106]
-	</p>
-      </li>
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+        to ensure bits 64-71 are zero. [GL #1159]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
-          to ensure bits 64-71 are zero. [GL #1159]
-	</p>
-      </li>
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> could crash during
+        configuration if configured to use "geoip continent" ACLs with
+        legacy GeoIP. [GL #1163]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> could crash during
-	  configuration if configured to use "geoip continent" ACLs with
-	  legacy GeoIP. [GL #1163]
-	</p>
-      </li>
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+        <span class="command"><strong>dnstap-output</strong></span> option when
+        <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
-	  <span class="command"><strong>dnstap-output</strong></span> option when
-	  <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
-	</p>
-      </li>
+      <p>
+        Handle ETIMEDOUT error on connect() with a non-blocking
+        socket. [GL #1133]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Handle ETIMEDOUT error on connect() with a non-blocking
-	  socket. [GL #1133]
-	</p>
-      </li>
+      <p>
+        Cache database statistics counters could report invalid values
+        when stale answers were enabled, because of a bug in counter
+        maintenance when cache data becomes stale. The statistics counters
+        have been corrected to report the number of RRsets for each
+        RR type that are active, stale but still potentially served,
+        or stale and marked for deletion. [GL #602]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
-	  that its policies are removed from the RPZ summary database.
-	  [GL #1146]
-	</p>
-      </li>
+      <p>
+        When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+        that its policies are removed from the RPZ summary database.
+        [GL #1146]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
-    <p>
-      BIND is open source software licensed under the terms of the Mozilla
-      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-      file for the full text).
-    </p>
-    <p>
-      The license requires that if you make changes to BIND and distribute
-      them outside your organization, those changes must be published under
-      the same license. It does not require that you publish or disclose
-      anything other than the changes you have made to our software.  This
-      requirement does not affect anyone who is using BIND, with or without
-      modifications, without redistributing it, nor anyone redistributing
-      BIND without changes.
-    </p>
-    <p>
-      Those wishing to discuss license compliance may contact ISC at
-      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-	https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
+  <p>
+    BIND is open source software licensed under the terms of the Mozilla
+    Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+    file for the full text).
+  </p>
+  <p>
+    The license requires that if you make changes to BIND and distribute
+    them outside your organization, those changes must be published under
+    the same license. It does not require that you publish or disclose
+    anything other than the changes you have made to our software.  This
+    requirement does not affect anyone who is using BIND, with or without
+    modifications, without redistributing it, nor anyone redistributing
+    BIND without changes.
+  </p>
+  <p>
+    Those wishing to discuss license compliance may contact ISC at
+    <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+      https://www.isc.org/mission/contact/</a>.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      The end of life date for BIND 9.14 has not yet been determined.
-      For those needing long term support, the current Extended Support
-      Version (ESV) is BIND 9.11, which will be supported until at
-      least December 2021. See
-      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
-      for details of ISC's software support policy.
-    </p>
-  </div>
-
+  <p>
+    The end of life date for BIND 9.14 has not yet been determined.
+    For those needing long term support, the current Extended Support
+    Version (ESV) is BIND 9.11, which will be supported until at
+    least December 2021. See
+    <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+    for details of ISC's software support policy.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
-    </p>
-  </div>
+  <p>
+    Thank you to everyone who assisted us in making this release possible.
+    If you would like to contribute to ISC to assist us in continuing to
+    make quality open source software, please visit our donations page at
+    <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+  </p>
+</div>
 </div>
     </div>
 <div class="navfooter">
@@ -353,6 +359,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index c3788ad3242..1819558b0ae 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 3daf7fc349e..8b5fe5f340b 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 02136bef048..fc52d7af621 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index 1b5021cc07a..dad2f78633c 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 341f92036b5..4b615aabe49 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.14.6</p></div>
+<div><p class="releaseinfo">BIND Version 9.14.7</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -242,7 +242,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.6</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.14.7</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_versions">Note on Version Numbering</a></span></dt>
@@ -438,6 +438,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 425ac38a508..6dd2a34b0ac 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index e0964b26fc2..b01eb01581a 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 0c7f147c02c..3cf3cbef6a0 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -220,6 +220,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index fee02e63c2d..d13a278933f 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index c324503b9f3..c18bce9940e 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1166,6 +1166,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index 85862148a0b..89c2bf2be94 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 2ab83621ed1..8784ff85bd1 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index de96d13dae4..6acce992533 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index f811f988de9..abc0d66c356 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -352,6 +352,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index f0263b3f54b..877edb04689 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index ad17ad15024..3df6dfb33fe 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 249618f6320..90dc541dbd5 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -557,6 +557,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index 71aa6b61c75..878ae58f123 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -405,6 +405,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 7bdf93ed6bf..c8d5357c5c8 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 79993df59d3..c67e8730334 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 3fcabb8a9ea..8893a294536 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -701,6 +701,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index ed10affbd41..db48e9e4a8b 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index d1b88bf8ff0..f580ed84b76 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.filter-aaaa.html b/doc/arm/man.filter-aaaa.html
index 4f00baeba8b..47ff58105d3 100644
--- a/doc/arm/man.filter-aaaa.html
+++ b/doc/arm/man.filter-aaaa.html
@@ -168,6 +168,6 @@ plugin query "/usr/local/lib/filter-aaaa.so" {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index dc3d20263c6..fb8d5187c69 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -366,6 +366,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index acbde0c0a1b..cbe9f59c4d5 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -604,6 +604,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 1f664984217..f2c19f99324 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -208,6 +208,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index c5649ba6fa8..0bd0b487249 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 2069519f836..43bd8c94502 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index d7e26aa7d1b..3dec266654d 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index 950624a89f6..02f71890d54 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index d56df6b79c8..8bc30c694e2 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -1075,6 +1075,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index a87991512d9..225947c95fa 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 06375990c17..c7b38bdf4f5 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index c63f5826989..0c130b23e28 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 70150009ef1..3469a520ba3 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -818,6 +818,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index be60ae0b2d5..ad74b128fa4 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index f50a928f648..0ebf4749f52 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index 389de54b434..707f8ce9029 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 6a11d09ce41..06e94bb537f 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 159df5961bf..26409634c92 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -260,6 +260,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index e6ac17c1eb6..e6909ad75f4 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 8ea4d49bb69..980c78b47ec 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1024,6 +1024,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.6 (Stable Release)</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 6de345030b0..e735779158b 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,286 +15,292 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.14.6</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.14.7</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_intro"></a>Introduction</h3></div></div></div>
-    <p>
-      BIND 9.14 is a stable branch of BIND.
-      This document summarizes significant changes since the last
-      production release on that branch.
-    </p>
-<p>
-    </p>
-<p>
-      Please see the file <code class="filename">CHANGES</code> for a more
-      detailed list of changes and bug fixes.
-    </p>
-  </div>
-
+  <p>
+    BIND 9.14 is a stable branch of BIND.
+    This document summarizes significant changes since the last
+    production release on that branch.
+  </p>
+  <p>
+    Please see the file <code class="filename">CHANGES</code> for a more
+    detailed list of changes and bug fixes.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_versions"></a>Note on Version Numbering</h3></div></div></div>
-    <p>
-      As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
-      release numbering convention.  BIND 9.14 contains new features added
-      during the BIND 9.13 development process. Henceforth, the 9.14 branch
-      will be limited to bug fixes and new feature development will proceed
-      in the unstable 9.15 branch, and so forth.
-    </p>
-  </div>
-
+  <p>
+    As of BIND 9.13/9.14, BIND has adopted the "odd-unstable/even-stable"
+    release numbering convention.  BIND 9.14 contains new features added
+    during the BIND 9.13 development process. Henceforth, the 9.14 branch
+    will be limited to bug fixes and new feature development will proceed
+    in the unstable 9.15 branch, and so forth.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_platforms"></a>Supported Platforms</h3></div></div></div>
-    <p>
-      Since 9.12, BIND has undergone substantial code refactoring and
-      cleanup, and some very old code has been removed that supported
-      obsolete operating systems and operating systems for which ISC is
-      no longer able to perform quality assurance testing. Specifically,
-      workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
-      and IRIX have been removed.
-    </p>
-    <p>
-      On UNIX-like systems, BIND now requires support for POSIX.1c
-      threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
-      IPv6 (RFC 3542), and standard atomic operations provided by the
-      C compiler.
-    </p>
-    <p>
-      More information can be found in the <code class="filename">PLATFORM.md</code>
-      file that is included in the source distribution of BIND 9.  If your
-      platform compiler and system libraries provide the above features,
-      BIND 9 should compile and run. If that isn't the case, the BIND
-      development team will generally accept patches that add support
-      for systems that are still supported by their respective vendors.
-    </p>
-    <p>
-      As of BIND 9.14, the BIND development team has also made cryptography
-      (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
-      OpenSSL cryptography library must be available for the target
-      platform.  A PKCS#11 provider can be used instead for Public Key
-      cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
-      still required for general cryptography operations such as hashing
-      and random number generation.
-    </p>
-  </div>
-
+  <p>
+    Since 9.12, BIND has undergone substantial code refactoring and
+    cleanup, and some very old code has been removed that supported
+    obsolete operating systems and operating systems for which ISC is
+    no longer able to perform quality assurance testing. Specifically,
+    workarounds for UnixWare, BSD/OS, AIX, Tru64, SunOS, TruCluster
+    and IRIX have been removed.
+  </p>
+  <p>
+    On UNIX-like systems, BIND now requires support for POSIX.1c
+    threads (IEEE Std 1003.1c-1995), the Advanced Sockets API for
+    IPv6 (RFC 3542), and standard atomic operations provided by the
+    C compiler.
+  </p>
+  <p>
+    More information can be found in the <code class="filename">PLATFORM.md</code>
+    file that is included in the source distribution of BIND 9.  If your
+    platform compiler and system libraries provide the above features,
+    BIND 9 should compile and run. If that isn't the case, the BIND
+    development team will generally accept patches that add support
+    for systems that are still supported by their respective vendors.
+  </p>
+  <p>
+    As of BIND 9.14, the BIND development team has also made cryptography
+    (i.e., TSIG and DNSSEC) an integral part of the DNS server.  The
+    OpenSSL cryptography library must be available for the target
+    platform.  A PKCS#11 provider can be used instead for Public Key
+    cryptography (i.e., DNSSEC signing and validation), but OpenSSL is
+    still required for general cryptography operations such as hashing
+    and random number generation.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_download"></a>Download</h3></div></div></div>
-    <p>
-      The latest versions of BIND 9 software can always be found at
-      <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
-      There you will find additional information about each release,
-      source code, and pre-compiled versions for Microsoft Windows
-      operating systems.
-    </p>
-  </div>
-
+  <p>
+    The latest versions of BIND 9 software can always be found at
+    <a class="link" href="http://www.isc.org/downloads/" target="_top">http://www.isc.org/downloads/</a>.
+    There you will find additional information about each release,
+    source code, and pre-compiled versions for Microsoft Windows
+    operating systems.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
-	<p>
-	  A race condition could trigger an assertion failure when
-	  a large number of incoming packets were being rejected.
-	  This flaw is disclosed in CVE-2019-6471. [GL #942]
-	</p>
-      </li></ul></div>
-  </div>
-
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+      <p>
+        A race condition could trigger an assertion failure when
+        a large number of incoming packets were being rejected.
+        This flaw is disclosed in CVE-2019-6471. [GL #942]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	<span class="command"><strong>named</strong></span> could crash with an assertion failure
+	if a forwarder returned a referral, rather than resolving the
+	query, when QNAME minimization was enabled.  This flaw is
+	disclosed in CVE-2019-6476. [GL #1501]
+      </p>
+    </li>
+<li class="listitem">
+      <p>
+	A flaw in DNSSEC verification when transferring mirror zones
+	could allow data to be incorrectly marked valid. This flaw
+	is disclosed in CVE-2019-6475. [GL #16P]
+      </p>
+    </li>
+</ul></div>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-	<p>
-	  The new GeoIP2 API from MaxMind is now supported when BIND
-	  is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
-	  The legacy GeoIP API can be used by compiling with
-	  <span class="command"><strong>configure --with-geoip</strong></span> instead.  (Note that
-	  the databases for the legacy API are no longer maintained by
-	  MaxMind.)
-	</p>
-	<p>
-	  The default path to the GeoIP2 databases will be set based
-	  on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
-	  for example, if it is in <code class="filename">/usr/local/lib</code>,
-	  then the default path will be
-	  <code class="filename">/usr/local/share/GeoIP</code>.
-	  This value can be overridden in <code class="filename">named.conf</code>
-	  using the <span class="command"><strong>geoip-directory</strong></span> option.
-	</p>
-	<p>
-	  Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
-	  legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
-	  <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
-	  no longer work when using GeoIP2. Supported GeoIP2 database
-	  types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
-	  <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
-	  <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
-	  and IPv6 lookups. [GL #182]
-	</p>
-      </li>
+      <p>
+        The new GeoIP2 API from MaxMind is now supported when BIND
+        is compiled using <span class="command"><strong>configure --with-geoip2</strong></span>.
+        The legacy GeoIP API can be used by compiling with
+        <span class="command"><strong>configure --with-geoip</strong></span> instead.  (Note that
+        the databases for the legacy API are no longer maintained by
+        MaxMind.)
+      </p>
+      <p>
+        The default path to the GeoIP2 databases will be set based
+        on the location of the <span class="command"><strong>libmaxminddb</strong></span> library;
+        for example, if it is in <code class="filename">/usr/local/lib</code>,
+        then the default path will be
+        <code class="filename">/usr/local/share/GeoIP</code>.
+        This value can be overridden in <code class="filename">named.conf</code>
+        using the <span class="command"><strong>geoip-directory</strong></span> option.
+      </p>
+      <p>
+        Some <span class="command"><strong>geoip</strong></span> ACL settings that were available with
+        legacy GeoIP, including searches for <span class="command"><strong>netspeed</strong></span>,
+        <span class="command"><strong>org</strong></span>, and three-letter ISO country codes, will
+        no longer work when using GeoIP2. Supported GeoIP2 database
+        types are <span class="command"><strong>country</strong></span>, <span class="command"><strong>city</strong></span>,
+        <span class="command"><strong>domain</strong></span>, <span class="command"><strong>isp</strong></span>, and
+        <span class="command"><strong>as</strong></span>. All of the databases support both IPv4
+        and IPv6 lookups. [GL #182]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Two new metrics have been added to the
-	  <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
-	  signing operations.  For each key in each zone, the
-	  <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
-	  number of signatures <span class="command"><strong>named</strong></span> has generated
-	  using that key since server startup, and the
-	  <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
-	  many of those signatures were refreshed during zone
-	  maintenance, as opposed to having been generated
-	  as a result of a zone update.  [GL #513]
-	</p>
-      </li>
+      <p>
+        Two new metrics have been added to the
+        <span class="command"><strong>statistics-channel</strong></span> to report DNSSEC
+        signing operations.  For each key in each zone, the
+        <span class="command"><strong>dnssec-sign</strong></span> counter indicates the total
+        number of signatures <span class="command"><strong>named</strong></span> has generated
+        using that key since server startup, and the
+        <span class="command"><strong>dnssec-refresh</strong></span> counter indicates how
+        many of those signatures were refreshed during zone
+        maintenance, as opposed to having been generated
+        as a result of a zone update.  [GL #513]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
-	  [GL #605]
-	</p>
-	<p>
-	  If you are running multiple DNS Servers (different versions of BIND 9
-	  or DNS server from multiple vendors) responding from the same IP
-	  address (anycast or load-balancing scenarios), you'll have to make
-	  sure that all the servers are configured with the same DNS Cookie
-	  algorithm and same Server Secret for the best performance.
-	</p>
-      </li>
+      <p>
+        A SipHash 2-4 based DNS Cookie (RFC 7873) algorithm has been added.
+        [GL #605]
+      </p>
+      <p>
+        If you are running multiple DNS Servers (different versions of BIND 9
+        or DNS server from multiple vendors) responding from the same IP
+        address (anycast or load-balancing scenarios), you'll have to make
+        sure that all the servers are configured with the same DNS Cookie
+        algorithm and same Server Secret for the best performance.
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  DS records included in DNS referral messages can now be validated
-	  and cached immediately, reducing the number of queries needed for
-	  a DNSSEC validation. [GL #964]
-	</p>
-      </li>
+      <p>
+        DS records included in DNS referral messages can now be validated
+        and cached immediately, reducing the number of queries needed for
+        a DNSSEC validation. [GL #964]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+  <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-        <p>
-	  When <span class="command"><strong>qname-minimization</strong></span> was set to
-	  <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
-	  would fail to resolve, but would have succeeded if minimization
-	  were disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
-	  resolution in such cases, and also uses type A rather than NS for
-	  minimal queries in order to reduce the likelihood of encountering
-	  the problem. [GL #1055]
-	</p>
-      </li>
+      <p>
+        When <span class="command"><strong>qname-minimization</strong></span> was set to
+        <span class="command"><strong>relaxed</strong></span>, some improperly configured domains
+        would fail to resolve, but would have succeeded when minimization
+        was disabled. <span class="command"><strong>named</strong></span> will now fall back to normal
+        resolution in such cases, and also uses type A rather than NS for
+        minimal queries in order to reduce the likelihood of encountering
+        the problem. [GL #1055]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Glue address records were not being returned in responses
-	  to root priming queries; this has been corrected. [GL #1092]
-	</p>
-      </li>
+      <p>
+        Glue address records were not being returned in responses
+        to root priming queries; this has been corrected. [GL #1092]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Cache database statistics counters could report invalid values
-	  when stale answers were enabled, because of a bug in counter
-	  maintenance when cache data becomes stale. The statistics counters
-	  have been corrected to report the number of RRsets for each
-	  RR type that are active, stale but still potentially served,
-	  or stale and marked for deletion. [GL #602]
-	</p>
-      </li>
+      <p>
+        Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
+        cause unexpected results; this has been fixed. [GL #1106]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Interaction between DNS64 and RPZ No Data rule (CNAME *.) could
-	  cause unexpected results; this has been fixed. [GL #1106]
-	</p>
-      </li>
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
+        to ensure bits 64-71 are zero. [GL #1159]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now checks DNS64 prefixes
-          to ensure bits 64-71 are zero. [GL #1159]
-	</p>
-      </li>
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> could crash during
+        configuration if configured to use "geoip continent" ACLs with
+        legacy GeoIP. [GL #1163]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> could crash during
-	  configuration if configured to use "geoip continent" ACLs with
-	  legacy GeoIP. [GL #1163]
-	</p>
-      </li>
+      <p>
+        <span class="command"><strong>named-checkconf</strong></span> now correctly reports a missing
+        <span class="command"><strong>dnstap-output</strong></span> option when
+        <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named-checkconf</strong></span> now correctly reports missing
-	  <span class="command"><strong>dnstap-output</strong></span> option when
-	  <span class="command"><strong>dnstap</strong></span> is set. [GL #1136]
-	</p>
-      </li>
+      <p>
+        Handle ETIMEDOUT error on connect() with a non-blocking
+        socket. [GL #1133]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  Handle ETIMEDOUT error on connect() with a non-blocking
-	  socket. [GL #1133]
-	</p>
-      </li>
+      <p>
+        Cache database statistics counters could report invalid values
+        when stale answers were enabled, because of a bug in counter
+        maintenance when cache data becomes stale. The statistics counters
+        have been corrected to report the number of RRsets for each
+        RR type that are active, stale but still potentially served,
+        or stale and marked for deletion. [GL #602]
+      </p>
+    </li>
 <li class="listitem">
-	<p>
-	  When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
-	  that its policies are removed from the RPZ summary database.
-	  [GL #1146]
-	</p>
-      </li>
+      <p>
+        When a <span class="command"><strong>response-policy</strong></span> zone expires, ensure
+        that its policies are removed from the RPZ summary database.
+        [GL #1146]
+      </p>
+    </li>
 </ul></div>
-  </div>
-
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_license"></a>License</h3></div></div></div>
-    <p>
-      BIND is open source software licensed under the terms of the Mozilla
-      Public License, version 2.0 (see the <code class="filename">LICENSE</code>
-      file for the full text).
-    </p>
-    <p>
-      The license requires that if you make changes to BIND and distribute
-      them outside your organization, those changes must be published under
-      the same license. It does not require that you publish or disclose
-      anything other than the changes you have made to our software.  This
-      requirement does not affect anyone who is using BIND, with or without
-      modifications, without redistributing it, nor anyone redistributing
-      BIND without changes.
-    </p>
-    <p>
-      Those wishing to discuss license compliance may contact ISC at
-      <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
-	https://www.isc.org/mission/contact/</a>.
-    </p>
-  </div>
-
+  <p>
+    BIND is open source software licensed under the terms of the Mozilla
+    Public License, version 2.0 (see the <code class="filename">LICENSE</code>
+    file for the full text).
+  </p>
+  <p>
+    The license requires that if you make changes to BIND and distribute
+    them outside your organization, those changes must be published under
+    the same license. It does not require that you publish or disclose
+    anything other than the changes you have made to our software.  This
+    requirement does not affect anyone who is using BIND, with or without
+    modifications, without redistributing it, nor anyone redistributing
+    BIND without changes.
+  </p>
+  <p>
+    Those wishing to discuss license compliance may contact ISC at
+    <a class="link" href="https://www.isc.org/mission/contact/" target="_top">
+      https://www.isc.org/mission/contact/</a>.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="end_of_life"></a>End of Life</h3></div></div></div>
-    <p>
-      The end of life date for BIND 9.14 has not yet been determined.
-      For those needing long term support, the current Extended Support
-      Version (ESV) is BIND 9.11, which will be supported until at
-      least December 2021. See
-      <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
-      for details of ISC's software support policy.
-    </p>
-  </div>
-
+  <p>
+    The end of life date for BIND 9.14 has not yet been determined.
+    For those needing long term support, the current Extended Support
+    Version (ESV) is BIND 9.11, which will be supported until at
+    least December 2021. See
+    <a class="link" href="https://www.isc.org/downloads/software-support-policy/" target="_top">https://www.isc.org/downloads/software-support-policy/</a>
+    for details of ISC's software support policy.
+  </p>
+</div>
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_thanks"></a>Thank You</h3></div></div></div>
-    <p>
-      Thank you to everyone who assisted us in making this release possible.
-      If you would like to contribute to ISC to assist us in continuing to
-      make quality open source software, please visit our donations page at
-      <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
-    </p>
-  </div>
+  <p>
+    Thank you to everyone who assisted us in making this release possible.
+    If you would like to contribute to ISC to assist us in continuing to
+    make quality open source software, please visit our donations page at
+    <a class="link" href="http://www.isc.org/donate/" target="_top">http://www.isc.org/donate/</a>.
+  </p>
+</div>
 </div>
 </div></body>
 </html>
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 79b30aaf3b4..fe9b6d6009a 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index 01b773f43fc..c948b44abfd 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.14.6
+Release Notes for BIND Version 9.14.7
 
 Introduction
 
@@ -55,6 +55,14 @@ Security Fixes
     number of incoming packets were being rejected. This flaw is disclosed
     in CVE-2019-6471. [GL #942]
 
+  * named could crash with an assertion failure if a forwarder returned a
+    referral, rather than resolving the query, when QNAME minimization was
+    enabled. This flaw is disclosed in CVE-2019-6476. [GL #1501]
+
+  * A flaw in DNSSEC verification when transferring mirror zones could
+    allow data to be incorrectly marked valid. This flaw is disclosed in
+    CVE-2019-6475. [GL #16P]
+
 New Features
 
   * The new GeoIP2 API from MaxMind is now supported when BIND is compiled
@@ -98,8 +106,8 @@ New Features
 Bug Fixes
 
   * When qname-minimization was set to relaxed, some improperly configured
-    domains would fail to resolve, but would have succeeded if
-    minimization were disabled. named will now fall back to normal
+    domains would fail to resolve, but would have succeeded when
+    minimization was disabled. named will now fall back to normal
     resolution in such cases, and also uses type A rather than NS for
     minimal queries in order to reduce the likelihood of encountering the
     problem. [GL #1055]
@@ -107,13 +115,6 @@ Bug Fixes
   * Glue address records were not being returned in responses to root
     priming queries; this has been corrected. [GL #1092]
 
-  * Cache database statistics counters could report invalid values when
-    stale answers were enabled, because of a bug in counter maintenance
-    when cache data becomes stale. The statistics counters have been
-    corrected to report the number of RRsets for each RR type that are
-    active, stale but still potentially served, or stale and marked for
-    deletion. [GL #602]
-
   * Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
     unexpected results; this has been fixed. [GL #1106]
 
@@ -123,12 +124,19 @@ Bug Fixes
   * named-checkconf could crash during configuration if configured to use
     "geoip continent" ACLs with legacy GeoIP. [GL #1163]
 
-  * named-checkconf now correctly reports missing dnstap-output option
+  * named-checkconf now correctly reports a missing dnstap-output option
     when dnstap is set. [GL #1136]
 
   * Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #
     1133]
 
+  * Cache database statistics counters could report invalid values when
+    stale answers were enabled, because of a bug in counter maintenance
+    when cache data becomes stale. The statistics counters have been
+    corrected to report the number of RRsets for each RR type that are
+    active, stale but still potentially served, or stale and marked for
+    deletion. [GL #602]
+
   * When a response-policy zone expires, ensure that its policies are
     removed from the RPZ summary database. [GL #1146]
 
diff --git a/lib/dns/api b/lib/dns/api
index a26b34ed6a2..02bf955988f 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 LIBINTERFACE = 1310
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/isc/api b/lib/isc/api
index 52dfa188d04..af5f914be0b 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 LIBINTERFACE = 1309
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 1a831dada61..0f300c7574d 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 LIBINTERFACE = 1302
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/ns/api b/lib/ns/api
index d6c4ffbb4b7..0b11d5edf84 100644
--- a/lib/ns/api
+++ b/lib/ns/api
@@ -10,5 +10,5 @@
 # 9.12: 1200-1299
 # 9.13/9.14: 1300-1499
 LIBINTERFACE = 1307
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0
diff --git a/version b/version
index 7eccb63a50a..16173e6990c 100644
--- a/version
+++ b/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION="(Stable Release)"
 MAJORVER=9
 MINORVER=14
-PATCHVER=6
+PATCHVER=7
 RELEASETYPE=
 RELEASEVER=
 EXTENSIONS=