diff --git a/CHANGES b/CHANGES
index 998abefbd1..edc11d38f3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
+
 4577.	[func]		Make qtype of resolver fuzzing packet configurable
 			via command line. [RT #43540]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 57f563844c..84b70b195e 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -65,11 +65,18 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  <command>dns64</command> with <command>break-dnssec yes;</command>
 	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136.[RT #44653]
+	  CVE-2017-3136. [RT #44653]
 	</para>
       </listitem>
       <listitem>
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9261c597e1..52f7c5c2c4 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7034,15 +7034,15 @@ answer_response(fetchctx_t *fctx) {
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_answer;
-					if (chaining == 0) {
+					if (external) {
 						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
+						 * This data is outside of
+						 * our query domain, and
+						 * may not be cached.
 						 */
-						INSIST(!external);
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					} else if (chaining == 0) {
 						/*
 						 * Don't use found_cname here
 						 * as we have just set it
@@ -7064,14 +7064,6 @@ answer_response(fetchctx_t *fctx) {
 						if (aa)
 							rdataset->trust =
 							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
 					}
 
 					/*
@@ -7246,15 +7238,12 @@ answer_response(fetchctx_t *fctx) {
 				 * If we are not chaining or the first CNAME
 				 * is a synthesised CNAME before the DNAME.
 				 */
-				if ((chaining == 0) ||
-				    (chaining == 1U && synthcname))
+				if (external) {
+					rdataset->attributes |=
+					    DNS_RDATASETATTR_EXTERNAL;
+				} else if ((chaining == 0) ||
+					   (chaining == 1U && synthcname))
 				{
-					/*
-					 * This data is "the" answer to
-					 * our question only if we're
-					 * not chaining.
-					 */
-					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
 						found_dname = ISC_TRUE;
@@ -7271,9 +7260,6 @@ answer_response(fetchctx_t *fctx) {
 					if (aa)
 						rdataset->trust =
 						  dns_trust_authanswer;
-				} else if (external) {
-					rdataset->attributes |=
-					    DNS_RDATASETATTR_EXTERNAL;
 				}
 			}