diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index ce257b4c072..e5e03ace094 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -479,6 +479,31 @@
relying on the insecure behaviour before upgrading.
+
+
+ In the PowerDNS Recursor module
+ (services.pdns-recursor), default values of
+ several IP address-related NixOS options have been updated to
+ match the default upstream behavior. In particular, Recursor
+ by default will:
+
+
+
+
+ listen on (and allows connections from) both IPv4 and IPv6
+ addresses
+ (services.pdns-recursor.dns.address,
+ services.pdns-recursor.dns.allowFrom);
+
+
+
+
+ allow only local connections to the REST API server
+ (services.pdns-recursor.api.allowFrom).
+
+
+
+
openssh has been update to 8.9p1, changing
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 408d77526a7..0a4b43db8fa 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -154,6 +154,12 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.kubernetes.scheduler.{port,address}` now set `--secure-port` and `--bind-address` instead of `--port` and `--address`, since the former have been deprecated and are no longer functional in kubernetes>=1.23. Ensure that you are not relying on the insecure behaviour before upgrading.
+- In the PowerDNS Recursor module (`services.pdns-recursor`), default values of several IP address-related NixOS options have been updated to match the default upstream behavior.
+ In particular, Recursor by default will:
+ - listen on (and allows connections from) both IPv4 and IPv6 addresses
+ (`services.pdns-recursor.dns.address`, `services.pdns-recursor.dns.allowFrom`);
+ - allow only local connections to the REST API server (`services.pdns-recursor.api.allowFrom`).
+
- `openssh` has been update to 8.9p1, changing the FIDO security key middleware interface.
- `services.k3s.enable` no longer implies `systemd.enableUnifiedCgroupHierarchy = false`, and will default to the 'systemd' cgroup driver when using `services.k3s.docker = true`.