diff --git a/CHANGES b/CHANGES
index 2fd7f71b2b..64ebb2d70e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4531.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
 4530.	[bug]		"dyndb" is dependent on dlopen existing / being
 			enabled. [RT #45291]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 97408258ba..6637bc4038 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -6428,7 +6428,7 @@ query_respond(query_ctx_t *qctx) {
 	/*
 	 * If we have a zero ttl from the cache, refetch.
 	 */
-	if (!qctx->is_zone && qctx->event == NULL &&
+	if (!qctx->is_zone && !qctx->resuming &&
 	    qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client))
 	{
 		qctx_clean(qctx);
@@ -7895,7 +7895,7 @@ query_cname(query_ctx_t *qctx) {
 	/*
 	 * If we have a zero ttl from the cache refetch it.
 	 */
-	if (!qctx->is_zone && qctx->event == NULL &&
+	if (!qctx->is_zone && !qctx->resuming &&
 	    qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client))
 	{
 		qctx_clean(qctx);
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 225cb3ea39..2b1230f915 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -67,6 +67,14 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  With certain RPZ configurations, a response with TTL 0
+	  could cause <command>named</command> to go into an infinite
+	  query loop. This flaw is disclosed in CVE-2017-3140.
+	  [RT #45181]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  <command>rndc ""</command> could trigger an assertion failure