Tweak and reword release notes

diff --git a/doc/notes/notes-9.20.21.rst b/doc/notes/notes-9.20.21.rst
index 1ba9a821971a62c51b3c8c50dcb4924ac32eed36..fe8dcb8fe4f14b074dd43a273c41b19edbcf318e 100644 (file)
--- a/doc/notes/notes-9.20.21.rst
+++ b/doc/notes/notes-9.20.21.rst
@@ -15,8 +15,8 @@ Notes for BIND 9.20.21
 Security Fixes
 ~~~~~~~~~~~~~~
 
-- [CVE-2026-1519] Fix unbounded NSEC3 iterations when validating
-  referrals to unsigned delegations.
+- Fix unbounded NSEC3 iterations when validating referrals to unsigned
+  delegations. :cve:`2026-1519`
 
   DNSSEC-signed zones may contain high iteration-count NSEC3 records,
   which prove that certain delegations are insecure. Previously, a
@@ -29,8 +29,8 @@ Security Fixes
   ISC would like to thank Samy Medjahed/Ap4sh for bringing this
   vulnerability to our attention. :gl:`#5708`
 
-- [CVE-2026-3104] Fix memory leaks in code preparing DNSSEC proofs of
-  non-existence.
+- Fix memory leaks in code preparing DNSSEC proofs of non-existence.
+  :cve:`2026-3104`
 
   An attacker controlling a DNSSEC-signed zone could trigger a memory
   leak in the logic preparing DNSSEC proofs of non-existence, by
@@ -40,8 +40,8 @@ Security Fixes
   ISC would like to thank Vitaly Simonovich for bringing this
   vulnerability to our attention. :gl:`#5742`
 
-- [CVE-2026-3119] Prevent a crash in code processing queries containing
-  a TKEY record.
+- Prevent a crash in code processing queries containing a TKEY record.
+  :cve:`2026-3119`
 
   The :iscman:`named` process could terminate unexpectedly when
   processing a correctly signed query containing a TKEY record. This has
@@ -50,8 +50,8 @@ Security Fixes
   ISC would like to thank Vitaly Simonovich for bringing this
   vulnerability to our attention. :gl:`#5748`
 
-- [CVE-2026-3591] Fix a stack use-after-return flaw in SIG(0) handling
-  code.
+- Fix a stack use-after-return flaw in SIG(0) handling code.
+  :cve:`2026-3591`
 
   A stack use-after-return flaw in SIG(0) handling code could enable ACL
   bypass and/or assertion failures in certain circumstances. This flaw
@@ -63,15 +63,13 @@ Security Fixes
 Bug Fixes
 ~~~~~~~~~
 
-- Resolve "key defined in view is not found"
+- Fix the handling of :namedconf:ref:`key` statements defined inside
+  views.
 
-  Commit `2956e4fc` hardened the `key` name check when used in
-  `primaries` to reject the configuration if the key was not defined,
-  rather than simply checking whether the key name was correctly formed.
-
-  However, the key name check didn't include the view configuration,
-  causing keys not to be recognized if they were defined inside the view
-  and not at the global level.  This regression is now fixed.
+  A recent change introduced in BIND 9.20.17 hardened the
+  :namedconf:ref:`key` name check when used in :any:`primaries`, to
+  immediately reject the configuration if the key was not defined
+  (rather than only checking whether the key name was correctly formed).
+  However, that change introduced a regression that prevented the use of
+  a :namedconf:ref:`key` defined in a view. This has now been fixed.
   :gl:`#5761`
-
-