From: Tinderbox User <tbox@isc.org>
Date: Sat, 6 Apr 2019 01:26:49 +0000 (+0000)
Subject: doc rebuild
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1d3cc8314feb0fc4ffb0d40527fd17b76fbd1b9;p=thirdparty%2Fbind9.git

doc rebuild
---

diff --git a/README b/README
index 63cfc184945..de4ae263b3d 100644
--- a/README
+++ b/README
@@ -157,6 +157,11 @@ BIND 9.12.4 is a maintenance release, and addresses the security
 vulnerabilities disclosed in CVE-2018-5744, CVE-2018-5745, and
 CVE-2019-6465.
 
+BIND 9.12.4-P1
+
+BIND 9.12.4-P1 addresses the security vulnerabilities disclosed in
+CVE-2018-5743 and CVE-2019-6467.
+
 Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index fbb356d80e3..631ef0b46e8 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -614,6 +614,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index ce4a5ea25df..9d7efb09c44 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -146,6 +146,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index d293040ab5c..dc08a712858 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -759,6 +759,6 @@ controls {
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index 96356f9f1e9..f166bd16e4b 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -2867,6 +2867,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index b857f07db53..4c9a07a3253 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -6416,7 +6416,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 <p>
                   The number of file descriptors reserved for TCP, stdio,
                   etc.  This needs to be big enough to cover the number of
-                  interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
+                  interfaces <span class="command"><strong>named</strong></span> listens on plus
+                  <span class="command"><strong>tcp-clients</strong></span>, as well as
                   to provide room for outgoing TCP queries and incoming zone
                   transfers.  The default is <code class="literal">512</code>.
                   The minimum value is <code class="literal">128</code> and the
@@ -14803,6 +14804,6 @@ HOST-127.EXAMPLE. MX 0 .
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index f14851aa61c..760bdfd1cbb 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -399,6 +399,6 @@ allow-query { !{ !10/8; any; }; key example; };
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 22d6b371b16..09a41ffbdd4 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -136,6 +136,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 1c52f2fd9d7..584b16e5b7a 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -36,7 +36,7 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl class="toc">
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4-P1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
@@ -52,7 +52,7 @@
 </div>
       <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.4</h2></div></div></div>
+<a name="id-1.9.2"></a>Release Notes for BIND Version 9.12.4-P1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -82,76 +82,19 @@
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash during recursive processing
-	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
-	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
-	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The serve-stale feature could cause an assertion failure in
-	  rbtdb.c even when stale-answer-enable was false. The
-	  simultaneous use of stale cache records and NSEC aggressive
-	  negative caching could trigger a recursion loop in the
-	  <span class="command"><strong>named</strong></span> process. This flaw is disclosed in
-	  CVE-2018-5737. [GL #185]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A bug in zone database reference counting could lead to a crash
-	  when multiple versions of a slave zone were transferred from a
-	  master in close succession. This flaw is disclosed in
-	  CVE-2018-5736. [GL #134]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Code change #4964, intended to prevent double signatures
-	  when deleting an inactive zone DNSKEY in some situations,
-	  introduced a new problem during zone processing in which
-	  some delegation glue RRsets are incorrectly identified
-	  as needing RRSIGs, which are then created for them using
-	  the current active ZSK for the zone. In some, but not all
-	  cases, the newly-signed RRsets are added to the zone's
-	  NSEC/NSEC3 chain, but incompletely -- this can result in
-	  a broken chain, affecting validation of proof of nonexistence
-	  for records in the zone. [GL #771]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
-	  security root with <span class="command"><strong>managed-keys</strong></span> and the
-	  authoritative zone rolled the key to an algorithm not supported
-	  by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
+        <p>
+	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
+	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+	  was in use and a redirected query resulted in an NXDOMAIN from the
+	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
 	</p>
       </li>
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> leaked memory when processing a
-	  request with multiple Key Tag EDNS options present. ISC
-	  would like to thank Toshifumi Sakaguchi for bringing this
-	  to our attention.  This flaw is disclosed in CVE-2018-5744.
-	  [GL #772]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone transfer controls for writable DLZ zones were not
-	  effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
-	  not being called for such zones. This flaw is disclosed in
-	  CVE-2019-6465. [GL #790]
+	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+	  option could be exceeded in some cases. This could lead to
+	  exhaustion of file descriptors. This flaw is disclosed in 
+	  CVE-2018-5743. [GL #615]
 	</p>
       </li>
 </ul></div>
@@ -160,129 +103,31 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>update-policy</strong></span> rules that otherwise ignore the
-	  name field now require that it be set to "." to ensure that any
-	  type list present is properly interpreted.  Previously, if the
-	  name field was omitted from the rule declaration but a type list
-	  was present, it wouldn't be interpreted as expected.
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #37]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Add the ability to not return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned
-	  add <span class="command"><strong>answer-cookie no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #173]
-	</p>
-	<p>
-	  <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
-	  temporary measure, for use when <span class="command"><strong>named</strong></span>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the
-	  same address is not expected to cause operational problems,
-	  but the option to disable COOKIE responses so that all
-	  servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security
-	  mechanism, and should not be disabled unless absolutely
-	  necessary.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new update policy rule types have been added
-	  <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
-	  which allow machines with Kerberos principals to update
-	  the name space at or below the machine names identified
-	  in the respective principals.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
-	  can be used to make BIND enable and enforce FIPS mode in the
-	  OpenSSL library.  When compiled with such option the BIND will
-	  refuse to run if FIPS mode can't be enabled, thus this option
-	  must be only enabled for the systems where FIPS mode is available.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  BIND now can be compiled against libidn2 library to add
-	  IDNA2008 support.  Previously BIND only supported IDNA2003
-	  using (now obsolete) idnkit-1 library.
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
-	  processing on the input domain name, when BIND is compiled
-	  with IDN support.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
-	  between views of the same name but different class; this
-	  has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
-	  option. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
-	  <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
-	  the standard output is not a tty (e.g. not used by human).  The command
-	  line options +idnin and +idnout need to be used to enable IDN
-	  processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
-	  is used from the shell scripts.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  When a negative trust anchor was added to multiple views
-	  using <span class="command"><strong>rndc nta</strong></span>, the text returned via
-	  <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
-	  first line, making it appear that only one NTA had been
-	  added. This has been fixed. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
+	  None.
 	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
@@ -354,6 +199,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 4703b2ea36c..4df3f02fc7b 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -148,6 +148,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 0bfec3723cc..87bc4e88293 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -914,6 +914,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch11.html b/doc/arm/Bv9ARM.ch11.html
index 4b117a6074e..591f9091483 100644
--- a/doc/arm/Bv9ARM.ch11.html
+++ b/doc/arm/Bv9ARM.ch11.html
@@ -533,6 +533,6 @@ $ <strong class="userinput"><code>sample-update -a sample-update -k Kxxx.+nnn+mm
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.ch12.html b/doc/arm/Bv9ARM.ch12.html
index ab7adb27e13..ba36d3804f2 100644
--- a/doc/arm/Bv9ARM.ch12.html
+++ b/doc/arm/Bv9ARM.ch12.html
@@ -210,6 +210,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index d7ed1a796b0..9622f96c2e6 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -32,7 +32,7 @@
 <div>
 <div><h1 class="title">
 <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="releaseinfo">BIND Version 9.12.4</p></div>
+<div><p class="releaseinfo">BIND Version 9.12.4-P1</p></div>
 <div><p class="copyright">Copyright © 2000-2019 Internet Systems Consortium, Inc. ("ISC")</p></div>
 </div>
 <hr>
@@ -234,7 +234,7 @@
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch08.html">A. Release Notes</a></span></dt>
 <dd><dl>
-<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4</a></span></dt>
+<dt><span class="section"><a href="Bv9ARM.ch08.html#id-1.9.2">Release Notes for BIND Version 9.12.4-P1</a></span></dt>
 <dd><dl>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_intro">Introduction</a></span></dt>
 <dt><span class="section"><a href="Bv9ARM.ch08.html#relnotes_download">Download</a></span></dt>
@@ -429,6 +429,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 33da3291a1f..87e9b5df510 100644
Binary files a/doc/arm/Bv9ARM.pdf and b/doc/arm/Bv9ARM.pdf differ
diff --git a/doc/arm/man.arpaname.html b/doc/arm/man.arpaname.html
index aafa038aceb..b8bc8c029e0 100644
--- a/doc/arm/man.arpaname.html
+++ b/doc/arm/man.arpaname.html
@@ -90,6 +90,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.ddns-confgen.html b/doc/arm/man.ddns-confgen.html
index 1856369b80e..40fadcdbabc 100644
--- a/doc/arm/man.ddns-confgen.html
+++ b/doc/arm/man.ddns-confgen.html
@@ -235,6 +235,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.delv.html b/doc/arm/man.delv.html
index 2b11a54eb8b..eb3537c9763 100644
--- a/doc/arm/man.delv.html
+++ b/doc/arm/man.delv.html
@@ -625,6 +625,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index ea987fd4d6f..cc430b3a9f6 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1141,6 +1141,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-cds.html b/doc/arm/man.dnssec-cds.html
index 4dacdebdba8..db1530731f7 100644
--- a/doc/arm/man.dnssec-cds.html
+++ b/doc/arm/man.dnssec-cds.html
@@ -376,6 +376,6 @@ nsupdate -l
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-checkds.html b/doc/arm/man.dnssec-checkds.html
index 2b6dbf61d0d..20eb8458bd7 100644
--- a/doc/arm/man.dnssec-checkds.html
+++ b/doc/arm/man.dnssec-checkds.html
@@ -150,6 +150,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-coverage.html b/doc/arm/man.dnssec-coverage.html
index 61467b4e05b..1f3a6acee17 100644
--- a/doc/arm/man.dnssec-coverage.html
+++ b/doc/arm/man.dnssec-coverage.html
@@ -270,6 +270,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
index be7103e6fb0..306f9b19de3 100644
--- a/doc/arm/man.dnssec-dsfromkey.html
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -352,6 +352,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-importkey.html b/doc/arm/man.dnssec-importkey.html
index d3d4c26169c..20aca274452 100644
--- a/doc/arm/man.dnssec-importkey.html
+++ b/doc/arm/man.dnssec-importkey.html
@@ -250,6 +250,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
index 589be899981..947a65abd48 100644
--- a/doc/arm/man.dnssec-keyfromlabel.html
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -498,6 +498,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index 1c9d1a920dc..91d3083c610 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -596,6 +596,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-keymgr.html b/doc/arm/man.dnssec-keymgr.html
index ce1daa7121a..7c0a9c96028 100644
--- a/doc/arm/man.dnssec-keymgr.html
+++ b/doc/arm/man.dnssec-keymgr.html
@@ -416,6 +416,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-revoke.html b/doc/arm/man.dnssec-revoke.html
index 44592ac2210..4162910539b 100644
--- a/doc/arm/man.dnssec-revoke.html
+++ b/doc/arm/man.dnssec-revoke.html
@@ -171,6 +171,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-settime.html b/doc/arm/man.dnssec-settime.html
index 2d506d9f913..733fb4b0b02 100644
--- a/doc/arm/man.dnssec-settime.html
+++ b/doc/arm/man.dnssec-settime.html
@@ -349,6 +349,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index 5f0d0bebae7..e3f8d226f91 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -725,6 +725,6 @@ db.example.com.signed
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
index 4cae2f1a164..11d0b20dc31 100644
--- a/doc/arm/man.dnssec-verify.html
+++ b/doc/arm/man.dnssec-verify.html
@@ -202,6 +202,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.dnstap-read.html b/doc/arm/man.dnstap-read.html
index 9d2fac5e440..435856ecdca 100644
--- a/doc/arm/man.dnstap-read.html
+++ b/doc/arm/man.dnstap-read.html
@@ -143,6 +143,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.genrandom.html b/doc/arm/man.genrandom.html
index 032de6bb06a..e1da97442a7 100644
--- a/doc/arm/man.genrandom.html
+++ b/doc/arm/man.genrandom.html
@@ -126,6 +126,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index 5075bdbcac2..796514655a9 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -375,6 +375,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.mdig.html b/doc/arm/man.mdig.html
index b49f7aec1f3..1fcd508ae68 100644
--- a/doc/arm/man.mdig.html
+++ b/doc/arm/man.mdig.html
@@ -610,6 +610,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index dddf1681723..64cb7077e5f 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index e4d94f6632b..6adbba14c30 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -463,6 +463,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-journalprint.html b/doc/arm/man.named-journalprint.html
index 2310c70ebff..e58b02cbd26 100644
--- a/doc/arm/man.named-journalprint.html
+++ b/doc/arm/man.named-journalprint.html
@@ -117,6 +117,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-nzd2nzf.html b/doc/arm/man.named-nzd2nzf.html
index 7be7da26276..fac251f892b 100644
--- a/doc/arm/man.named-nzd2nzf.html
+++ b/doc/arm/man.named-nzd2nzf.html
@@ -119,6 +119,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named-rrchecker.html b/doc/arm/man.named-rrchecker.html
index c21500ed8fb..d05c6fd24bb 100644
--- a/doc/arm/man.named-rrchecker.html
+++ b/doc/arm/man.named-rrchecker.html
@@ -121,6 +121,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.conf.html b/doc/arm/man.named.conf.html
index 30abbc19b9b..20fdb197474 100644
--- a/doc/arm/man.named.conf.html
+++ b/doc/arm/man.named.conf.html
@@ -1054,6 +1054,6 @@ zone
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index 4ea4790e290..aff6902eaf5 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -492,6 +492,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsec3hash.html b/doc/arm/man.nsec3hash.html
index 8500a97a800..da866628f12 100644
--- a/doc/arm/man.nsec3hash.html
+++ b/doc/arm/man.nsec3hash.html
@@ -155,6 +155,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nslookup.html b/doc/arm/man.nslookup.html
index 15317be2803..cd376db689f 100644
--- a/doc/arm/man.nslookup.html
+++ b/doc/arm/man.nslookup.html
@@ -437,6 +437,6 @@ nslookup -query=hinfo  -timeout=10
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
index 68fec3a874c..612e46ca13e 100644
--- a/doc/arm/man.nsupdate.html
+++ b/doc/arm/man.nsupdate.html
@@ -832,6 +832,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-destroy.html b/doc/arm/man.pkcs11-destroy.html
index d91f65c5099..20325d8ce3a 100644
--- a/doc/arm/man.pkcs11-destroy.html
+++ b/doc/arm/man.pkcs11-destroy.html
@@ -162,6 +162,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-keygen.html b/doc/arm/man.pkcs11-keygen.html
index 14400736f68..e3af08a05d6 100644
--- a/doc/arm/man.pkcs11-keygen.html
+++ b/doc/arm/man.pkcs11-keygen.html
@@ -200,6 +200,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-list.html b/doc/arm/man.pkcs11-list.html
index 87e582fb59c..d2b353d325c 100644
--- a/doc/arm/man.pkcs11-list.html
+++ b/doc/arm/man.pkcs11-list.html
@@ -158,6 +158,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.pkcs11-tokens.html b/doc/arm/man.pkcs11-tokens.html
index 796f52fd152..638af4a03ec 100644
--- a/doc/arm/man.pkcs11-tokens.html
+++ b/doc/arm/man.pkcs11-tokens.html
@@ -123,6 +123,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index 92ea4a42121..2eb811cd7cd 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -276,6 +276,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 0ff250a9307..b0ed4158ea0 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -268,6 +268,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 2acc2e1b66b..2ebe112fe7e 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1015,6 +1015,6 @@
 </tr>
 </table>
 </div>
-<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4</p>
+<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.12.4-P1</p>
 </body>
 </html>
diff --git a/doc/arm/notes.html b/doc/arm/notes.html
index 807c86b8896..a9e3c3660ca 100644
--- a/doc/arm/notes.html
+++ b/doc/arm/notes.html
@@ -15,7 +15,7 @@
 
   <div class="section">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id-1.2"></a>Release Notes for BIND Version 9.12.4</h2></div></div></div>
+<a name="id-1.2"></a>Release Notes for BIND Version 9.12.4-P1</h2></div></div></div>
   
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
@@ -45,76 +45,19 @@
 <a name="relnotes_security"></a>Security Fixes</h3></div></div></div>
     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
 <li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash during recursive processing
-	  of DNAME records when <span class="command"><strong>deny-answer-aliases</strong></span> was
-	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When recursion is enabled but the <span class="command"><strong>allow-recursion</strong></span>
-	  and <span class="command"><strong>allow-query-cache</strong></span> ACLs are not specified, they
-	  should be limited to local networks, but they were inadvertently set
-	  to match the default <span class="command"><strong>allow-query</strong></span>, thus allowing
-	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The serve-stale feature could cause an assertion failure in
-	  rbtdb.c even when stale-answer-enable was false. The
-	  simultaneous use of stale cache records and NSEC aggressive
-	  negative caching could trigger a recursion loop in the
-	  <span class="command"><strong>named</strong></span> process. This flaw is disclosed in
-	  CVE-2018-5737. [GL #185]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  A bug in zone database reference counting could lead to a crash
-	  when multiple versions of a slave zone were transferred from a
-	  master in close succession. This flaw is disclosed in
-	  CVE-2018-5736. [GL #134]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Code change #4964, intended to prevent double signatures
-	  when deleting an inactive zone DNSKEY in some situations,
-	  introduced a new problem during zone processing in which
-	  some delegation glue RRsets are incorrectly identified
-	  as needing RRSIGs, which are then created for them using
-	  the current active ZSK for the zone. In some, but not all
-	  cases, the newly-signed RRsets are added to the zone's
-	  NSEC/NSEC3 chain, but incompletely -- this can result in
-	  a broken chain, affecting validation of proof of nonexistence
-	  for records in the zone. [GL #771]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> could crash if it managed a DNSSEC
-	  security root with <span class="command"><strong>managed-keys</strong></span> and the
-	  authoritative zone rolled the key to an algorithm not supported
-	  by BIND 9.  This flaw is disclosed in CVE-2018-5745. [GL #780]
+        <p>
+	  In certain configurations, <span class="command"><strong>named</strong></span> could crash
+	  with an assertion failure if <span class="command"><strong>nxdomain-redirect</strong></span>
+	  was in use and a redirected query resulted in an NXDOMAIN from the
+	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
 	</p>
       </li>
 <li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> leaked memory when processing a
-	  request with multiple Key Tag EDNS options present. ISC
-	  would like to thank Toshifumi Sakaguchi for bringing this
-	  to our attention.  This flaw is disclosed in CVE-2018-5744.
-	  [GL #772]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Zone transfer controls for writable DLZ zones were not
-	  effective as the <span class="command"><strong>allowzonexfr</strong></span> method was
-	  not being called for such zones. This flaw is disclosed in
-	  CVE-2019-6465. [GL #790]
+	  The TCP client quota set using the <span class="command"><strong>tcp-clients</strong></span>
+	  option could be exceeded in some cases. This could lead to
+	  exhaustion of file descriptors. This flaw is disclosed in 
+	  CVE-2018-5743. [GL #615]
 	</p>
       </li>
 </ul></div>
@@ -123,129 +66,31 @@
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_features"></a>New Features</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>update-policy</strong></span> rules that otherwise ignore the
-	  name field now require that it be set to "." to ensure that any
-	  type list present is properly interpreted.  Previously, if the
-	  name field was omitted from the rule declaration but a type list
-	  was present, it wouldn't be interpreted as expected.
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>named</strong></span> now supports the "root key sentinel"
-	  mechanism. This enables validating resolvers to indicate
-	  which trust anchors are configured for the root, so that
-	  information about root key rollover status can be gathered.
-	  To disable this feature, add
-	  <span class="command"><strong>root-key-sentinel no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #37]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Add the ability to not return a DNS COOKIE option when one
-	  is present in the request.  To prevent a cookie being returned
-	  add <span class="command"><strong>answer-cookie no;</strong></span> to
-	  <code class="filename">named.conf</code>. [GL #173]
-	</p>
-	<p>
-	  <span class="command"><strong>answer-cookie no</strong></span> is only intended as a
-	  temporary measure, for use when <span class="command"><strong>named</strong></span>
-	  shares an IP address with other servers that do not yet
-	  support DNS COOKIE.  A mismatch between servers on the
-	  same address is not expected to cause operational problems,
-	  but the option to disable COOKIE responses so that all
-	  servers have the same behavior is provided out of an
-	  abundance of caution. DNS COOKIE is an important security
-	  mechanism, and should not be disabled unless absolutely
-	  necessary.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  Two new update policy rule types have been added
-	  <span class="command"><strong>krb5-selfsub</strong></span> and <span class="command"><strong>ms-selfsub</strong></span>
-	  which allow machines with Kerberos principals to update
-	  the name space at or below the machine names identified
-	  in the respective principals.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The new configure option <span class="command"><strong>--enable-fips-mode</strong></span>
-	  can be used to make BIND enable and enforce FIPS mode in the
-	  OpenSSL library.  When compiled with such option the BIND will
-	  refuse to run if FIPS mode can't be enabled, thus this option
-	  must be only enabled for the systems where FIPS mode is available.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  BIND now can be compiled against libidn2 library to add
-	  IDNA2008 support.  Previously BIND only supported IDNA2003
-	  using (now obsolete) idnkit-1 library.
+	  None.
 	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  <span class="command"><strong>dig +noidnin</strong></span> can be used to disable IDN
-	  processing on the input domain name, when BIND is compiled
-	  with IDN support.
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  The <span class="command"><strong>rndc nta</strong></span> command could not differentiate
-	  between views of the same name but different class; this
-	  has been corrected with the addition of a <span class="command"><strong>-class</strong></span>
-	  option. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
-	<p>
-	  When compiled with IDN support, the <span class="command"><strong>dig</strong></span> and the
-	  <span class="command"><strong>nslookup</strong></span> commands now disable IDN processing when
-	  the standard output is not a tty (e.g. not used by human).  The command
-	  line options +idnin and +idnout need to be used to enable IDN
-	  processing when <span class="command"><strong>dig</strong></span> or <span class="command"><strong>nslookup</strong></span>
-	  is used from the shell scripts.
-	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="relnotes_bugs"></a>Bug Fixes</h3></div></div></div>
-    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
-<li class="listitem">
-	<p>
-	  When a negative trust anchor was added to multiple views
-	  using <span class="command"><strong>rndc nta</strong></span>, the text returned via
-	  <span class="command"><strong>rndc</strong></span> was incorrectly truncated after the
-	  first line, making it appear that only one NTA had been
-	  added. This has been fixed. [GL #105]
-	</p>
-      </li>
-<li class="listitem">
+    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 	<p>
-	  <span class="command"><strong>named</strong></span> now rejects excessively large
-	  incremental (IXFR) zone transfers in order to prevent
-	  possible corruption of journal files which could cause
-	  <span class="command"><strong>named</strong></span> to abort when loading zones. [GL #339]
+	  None.
 	</p>
-      </li>
-</ul></div>
+      </li></ul></div>
   </div>
 
   <div class="section">
diff --git a/doc/arm/notes.pdf b/doc/arm/notes.pdf
index 415928eb290..dcfefa80418 100644
Binary files a/doc/arm/notes.pdf and b/doc/arm/notes.pdf differ
diff --git a/doc/arm/notes.txt b/doc/arm/notes.txt
index b24021472f9..4fdab05649e 100644
--- a/doc/arm/notes.txt
+++ b/doc/arm/notes.txt
@@ -1,4 +1,4 @@
-Release Notes for BIND Version 9.12.4
+Release Notes for BIND Version 9.12.4-P1
 
 Introduction
 
@@ -15,117 +15,26 @@ operating systems.
 
 Security Fixes
 
-  * named could crash during recursive processing of DNAME records when
-    deny-answer-aliases was in use. This flaw is disclosed in
-    CVE-2018-5740. [GL #387]
-
-  * When recursion is enabled but the allow-recursion and
-    allow-query-cache ACLs are not specified, they should be limited to
-    local networks, but they were inadvertently set to match the default
-    allow-query, thus allowing remote queries. This flaw is disclosed in
-    CVE-2018-5738. [GL #309]
-
-  * The serve-stale feature could cause an assertion failure in rbtdb.c
-    even when stale-answer-enable was false. The simultaneous use of stale
-    cache records and NSEC aggressive negative caching could trigger a
-    recursion loop in the named process. This flaw is disclosed in
-    CVE-2018-5737. [GL #185]
-
-  * A bug in zone database reference counting could lead to a crash when
-    multiple versions of a slave zone were transferred from a master in
-    close succession. This flaw is disclosed in CVE-2018-5736. [GL #134]
-
-  * Code change #4964, intended to prevent double signatures when deleting
-    an inactive zone DNSKEY in some situations, introduced a new problem
-    during zone processing in which some delegation glue RRsets are
-    incorrectly identified as needing RRSIGs, which are then created for
-    them using the current active ZSK for the zone. In some, but not all
-    cases, the newly-signed RRsets are added to the zone's NSEC/NSEC3
-    chain, but incompletely -- this can result in a broken chain,
-    affecting validation of proof of nonexistence for records in the zone.
-    [GL #771]
-
-  * named could crash if it managed a DNSSEC security root with
-    managed-keys and the authoritative zone rolled the key to an algorithm
-    not supported by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL
-    #780]
-
-  * named leaked memory when processing a request with multiple Key Tag
-    EDNS options present. ISC would like to thank Toshifumi Sakaguchi for
-    bringing this to our attention. This flaw is disclosed in
-    CVE-2018-5744. [GL #772]
-
-  * Zone transfer controls for writable DLZ zones were not effective as
-    the allowzonexfr method was not being called for such zones. This flaw
-    is disclosed in CVE-2019-6465. [GL #790]
+  * In certain configurations, named could crash with an assertion failure
+    if nxdomain-redirect was in use and a redirected query resulted in an
+    NXDOMAIN from the cache. This flaw is disclosed in CVE-2019-6467. [GL
+    #880]
+
+  * The TCP client quota set using the tcp-clients option could be
+    exceeded in some cases. This could lead to exhaustion of file
+    descriptors. This flaw is disclosed in CVE-2018-5743. [GL #615]
 
 New Features
 
-  * update-policy rules that otherwise ignore the name field now require
-    that it be set to "." to ensure that any type list present is properly
-    interpreted. Previously, if the name field was omitted from the rule
-    declaration but a type list was present, it wouldn't be interpreted as
-    expected.
-
-  * named now supports the "root key sentinel" mechanism. This enables
-    validating resolvers to indicate which trust anchors are configured
-    for the root, so that information about root key rollover status can
-    be gathered. To disable this feature, add root-key-sentinel no; to
-    named.conf. [GL #37]
-
-  * Add the ability to not return a DNS COOKIE option when one is present
-    in the request. To prevent a cookie being returned add answer-cookie
-    no; to named.conf. [GL #173]
-
-    answer-cookie no is only intended as a temporary measure, for use when
-    named shares an IP address with other servers that do not yet support
-    DNS COOKIE. A mismatch between servers on the same address is not
-    expected to cause operational problems, but the option to disable
-    COOKIE responses so that all servers have the same behavior is
-    provided out of an abundance of caution. DNS COOKIE is an important
-    security mechanism, and should not be disabled unless absolutely
-    necessary.
-
-  * Two new update policy rule types have been added krb5-selfsub and
-    ms-selfsub which allow machines with Kerberos principals to update the
-    name space at or below the machine names identified in the respective
-    principals.
-
-  * The new configure option --enable-fips-mode can be used to make BIND
-    enable and enforce FIPS mode in the OpenSSL library. When compiled
-    with such option the BIND will refuse to run if FIPS mode can't be
-    enabled, thus this option must be only enabled for the systems where
-    FIPS mode is available.
+  * None.
 
 Feature Changes
 
-  * BIND now can be compiled against libidn2 library to add IDNA2008
-    support. Previously BIND only supported IDNA2003 using (now obsolete)
-    idnkit-1 library.
-
-  * dig +noidnin can be used to disable IDN processing on the input domain
-    name, when BIND is compiled with IDN support.
-
-  * The rndc nta command could not differentiate between views of the same
-    name but different class; this has been corrected with the addition of
-    a -class option. [GL #105]
-
-  * When compiled with IDN support, the dig and the nslookup commands now
-    disable IDN processing when the standard output is not a tty (e.g. not
-    used by human). The command line options +idnin and +idnout need to be
-    used to enable IDN processing when dig or nslookup is used from the
-    shell scripts.
+  * None.
 
 Bug Fixes
 
-  * When a negative trust anchor was added to multiple views using rndc
-    nta, the text returned via rndc was incorrectly truncated after the
-    first line, making it appear that only one NTA had been added. This
-    has been fixed. [GL #105]
-
-  * named now rejects excessively large incremental (IXFR) zone transfers
-    in order to prevent possible corruption of journal files which could
-    cause named to abort when loading zones. [GL #339]
+  * None.
 
 License
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 101ab56fec8..84bbc8d319e 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -52,7 +52,7 @@
 	<para>
 	  The TCP client quota set using the <command>tcp-clients</command>
 	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. This flaw is disclosed in 
+	  exhaustion of file descriptors. This flaw is disclosed in
 	  CVE-2018-5743. [GL #615]
 	</para>
       </listitem>
