Reorder release notes

diff --git a/doc/notes/notes-9.20.14.rst b/doc/notes/notes-9.20.14.rst
index b2e177ebd1e8f02d6f1ef605ff2ea28de8af64c0..7a44e85bb5a9e2bdbc8c5cd075b891402d013639 100644 (file)
--- a/doc/notes/notes-9.20.14.rst
+++ b/doc/notes/notes-9.20.14.rst
@@ -78,16 +78,10 @@ New Features
 Bug Fixes
 ~~~~~~~~~
 
-- Use signer name when disabling DNSSEC algorithms.
-
-  :any:`disable-algorithms` could cause DNSSEC validation failures when
-  the parent zone was signed with the algorithms that were being
-  disabled for the child zone. This has been fixed;
-  :any:`disable-algorithms` now works on a whole-of-zone basis.
+- Missing DNSSEC information when CD bit is set in query.
 
-  If the zone's name is at or below the :any:`disable-algorithms` name
-  the algorithm is disabled for that zone, using deepest match when
-  there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
+  The RRSIGs for glue records were not being cached correctly for CD=1
+  queries. This has been fixed. :gl:`#5502`
 
 - :option:`rndc sign` during ZSK rollover will now replace signatures.
 
@@ -96,10 +90,16 @@ Bug Fixes
   successor key, replacing all zone signatures from the predecessor key
   with new ones. :gl:`#5483`
 
-- Missing DNSSEC information when CD bit is set in query.
+- Use signer name when disabling DNSSEC algorithms.
 
-  The RRSIGs for glue records were not being cached correctly for CD=1
-  queries. This has been fixed. :gl:`#5502`
+  :any:`disable-algorithms` could cause DNSSEC validation failures when
+  the parent zone was signed with the algorithms that were being
+  disabled for the child zone. This has been fixed;
+  :any:`disable-algorithms` now works on a whole-of-zone basis.
+
+  If the zone's name is at or below the :any:`disable-algorithms` name
+  the algorithm is disabled for that zone, using deepest match when
+  there are multiple :any:`disable-algorithms` clauses. :gl:`#5165`
 
 - Preserve cache when reload fails and reload the server again.