diff --git a/CHANGES b/CHANGES
index 1e4309bc7d..783c733b8e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3125.	[security]	Using wildcard CNAME records as a replacement with
+			RPZ caused named to exit with a assertion failure.
+			[RT #24715]
+
 3124.	[bug]		Use an rdataset attribute flag to indicate
 			negative-cache records rather than using rrtype 0;
 			this will prevent problems when that rrtype is
diff --git a/bin/named/query.c b/bin/named/query.c
index e7d8c45d2e..44833c1253 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.365 2011/06/08 22:13:50 each Exp $ */
+/* $Id: query.c,v 1.366 2011/06/09 00:42:51 marka Exp $ */
 
 /*! \file */
 
@@ -5416,6 +5416,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				break;
 			case DNS_RPZ_POLICY_RECORD:
 				if (type == dns_rdatatype_any &&
+				    result != DNS_R_CNAME &&
 				    dns_rdataset_isassociated(rdataset))
 					dns_rdataset_disassociate(rdataset);
 				break;
diff --git a/bin/tests/system/rpz/ns3/base.db b/bin/tests/system/rpz/ns3/base.db
index 81402e1ec9..47b502ec43 100644
--- a/bin/tests/system/rpz/ns3/base.db
+++ b/bin/tests/system/rpz/ns3/base.db
@@ -12,7 +12,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: base.db,v 1.4 2011/04/27 17:46:47 each Exp $
+; $Id: base.db,v 1.5 2011/06/09 00:42:50 marka Exp $
 
 ; RPZ test
 
@@ -33,3 +33,4 @@ $TTL	120
 ; for testing rrset replacement
 redirect	IN      A       127.0.0.1
 *.redirect	IN      A       127.0.0.1
+*.cname-redirect	IN      CNAME   google.com.
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 5688a6a135..0facc30dde 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.4 2011/04/27 17:46:47 each Exp $
+# $Id: tests.sh,v 1.5 2011/06/09 00:42:51 marka Exp $
 
 # test response policy zones (RPZ)
 
@@ -223,6 +223,7 @@ $DIGCMD a3-1.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -trrsig @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -trrsig @$s3 > /dev/null 2>&1
+$DIGCMD www.cname-redirect -trrsig @$s3 > /dev/null 2>&1
 
 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then
@@ -239,6 +240,24 @@ $DIGCMD a3-1.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-2.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD a3-5.tld2 -tsig @$s3 > /dev/null 2>&1
 $DIGCMD www.redirect -tsig @$s3 > /dev/null 2>&1
+$DIGCMD www.cname-redirect -tsig @$s3 > /dev/null 2>&1
+
+$RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then
+    echo "I:failed";
+    (cd ..; $PERL start.pl --noclean --restart rpz ns3)
+fi
+status=`expr $status + $ret`
+
+ret=0
+echo "I:checking ANY queries"
+# We don't actually care about the query results; the important
+# thing is the server handles SIG queries okay
+$DIGCMD a3-1.tld2 -tany @$s3 > /dev/null 2>&1
+$DIGCMD a3-2.tld2 -tany @$s3 > /dev/null 2>&1
+$DIGCMD a3-5.tld2 -tany @$s3 > /dev/null 2>&1
+$DIGCMD www.redirect -tany @$s3 > /dev/null 2>&1
+$DIGCMD www.cname-redirect -tany @$s3 > /dev/null 2>&1
 
 $RNDC -c ../common/rndc.conf -s $s3 -p 9953 status > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then