diff --git a/NEWS b/NEWS
index 91e79cecc52def98ea00444811426c807579f141..33ecc593f48c8dbf10087e34fc7d197c0ee18c0d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,8 +1,32 @@
+Knot Resolver 2.3.0 (2018-04-23)
+================================
+
+Security
+--------
+- fix CVE-2018-1110: denial of service triggered by malformed DNS messages
+  (!550, !558, security!2, security!4)
+- increase resilience against slow lorris attack (security!5)
+
+Incompatible changes
+--------------------
+- rename serve stale configuration option cache_touted_ns_clean_interval
+  to cache_ns_tout (!537)
 
 Bugfixes
 --------
-- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone
-- validation: fix SERVFAIL for DS . query
+- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)
+- validation: fix SERVFAIL for DS . query (!544)
+- lib/resolve: don't send unecessary queries to parent zone (!513)
+- iterate: fix validation for zones where parent and child share NS (!543)
+- TLS: improve error handling and documentation (!536, !555, !559)
+
+Improvements
+------------
+- prefill: new module to periodically import root zone into cache
+  (replacement for RFC 7706, !511)
+- network_listen_fd: always create end point for supervisor supplied file descriptor
+- daemon: improved TLS error handling
+- use CPPFLAGS build environment variable if set (!547)
 
 
 Knot Resolver 2.2.0 (2018-03-28)
diff --git a/config.mk b/config.mk
index 5a09a86668f61495ba7d1b15976f10f8c329d820..a4f5137582f418f30203f09446283c27655b3a4c 100644
--- a/config.mk
+++ b/config.mk
@@ -1,6 +1,6 @@
 # Project
 MAJOR := 2
-MINOR := 2
+MINOR := 3
 PATCH := 0
 EXTRA :=
 ABIVER := 7