diff --git a/CHANGES b/CHANGES
index dabcc1d6a2..bb30262b79 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5016.	[bug]		Named could assert with overlapping filter-aaaa and
+			dns64 acls. [GL #445]
+
 5015.	[bug]		Reloading all zones caused zone maintenance to cease
 			for inline-signed zones. [GL #435]
 
diff --git a/bin/tests/system/filter-aaaa/ns5/hints b/bin/tests/system/filter-aaaa/ns5/hints
new file mode 100644
index 0000000000..381e86b152
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns5/hints
@@ -0,0 +1,11 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
diff --git a/bin/tests/system/filter-aaaa/ns5/named.conf.in b/bin/tests/system/filter-aaaa/ns5/named.conf.in
new file mode 100644
index 0000000000..47b3aff31a
--- /dev/null
+++ b/bin/tests/system/filter-aaaa/ns5/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.5;
+	notify-source 10.53.0.5;
+	transfer-source 10.53.0.5;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.5; };
+	listen-on-v6 { fd92:7065:b8e:ffff::5; };
+	recursion yes;
+	dnssec-validation no;
+	notify yes;
+	dns64 64:ff9b::/96 {
+			    clients { any; };
+			    exclude { any; };
+			    mapped { any; };
+	};
+	filter-aaaa-on-v4 break-dnssec;
+	filter-aaaa { any; };
+	minimal-responses no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." { type hint; file "hints"; };
diff --git a/bin/tests/system/filter-aaaa/setup.sh b/bin/tests/system/filter-aaaa/setup.sh
index dc8a462c2a..f2d6dd6aad 100644
--- a/bin/tests/system/filter-aaaa/setup.sh
+++ b/bin/tests/system/filter-aaaa/setup.sh
@@ -18,6 +18,7 @@ copy_setports ns1/named1.conf.in ns1/named.conf
 copy_setports ns2/named1.conf.in ns2/named.conf
 copy_setports ns3/named1.conf.in ns3/named.conf
 copy_setports ns4/named1.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
 
 (cd ns1 && $SHELL -e sign.sh)
 (cd ns4 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh
index 25ff46c133..16a9332518 100644
--- a/bin/tests/system/filter-aaaa/tests.sh
+++ b/bin/tests/system/filter-aaaa/tests.sh
@@ -1374,5 +1374,17 @@ grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+# We don't check for the AAAA record here as configuration in ns5 does
+# not make sense.  The AAAA record is wanted by filter-aaaa but discarded
+# by the dns64 configuration. We just want to ensure the server stays
+# running.
+n=`expr $n + 1`
+echo_i "checking filter-aaaa with dns64 ($n)"
+ret=0
+$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 9b868287d7..c3bf4e8c45 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -7208,12 +7208,15 @@ query_respond(query_ctx_t *qctx) {
 		return (query_done(qctx));
 	}
 
-	result = query_filter_aaaa(qctx);
-	if (result != ISC_R_COMPLETE)
-		return (result);
 	/*
 	 * Check to see if the AAAA RRset has non-excluded addresses
 	 * in it.  If not look for a A RRset.
+	 *
+	 * Note: the order of dns64_aaaaok() and query_filter_aaaa() is
+	 * important.  query_filter_aaaa() calls query_recurse() but
+	 * continues so that the AAAA records are added.  If the
+	 * order is reversed client->query.fetch will be non-NULL
+	 * when query_lookup() is called leading to a assertion.
 	 */
 	INSIST(qctx->client->query.dns64_aaaaok == NULL);
 
@@ -7236,6 +7239,10 @@ query_respond(query_ctx_t *qctx) {
 		return (query_lookup(qctx));
 	}
 
+	result = query_filter_aaaa(qctx);
+	if (result != ISC_R_COMPLETE)
+		return (result);
+
 	if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) {
 		sigrdatasetp = &qctx->sigrdataset;
 	}
diff --git a/util/copyrights b/util/copyrights
index 224e108d05..d276fa8067 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1235,6 +1235,8 @@
 ./bin/tests/system/filter-aaaa/ns4/sign.sh	SH	2010,2012,2014,2016,2018
 ./bin/tests/system/filter-aaaa/ns4/signed.db.in	ZONE	2010,2012,2016,2017,2018
 ./bin/tests/system/filter-aaaa/ns4/unsigned.db	ZONE	2010,2012,2016,2017,2018
+./bin/tests/system/filter-aaaa/ns5/hints	ZONE	2018
+./bin/tests/system/filter-aaaa/ns5/named.conf.in	CONF-C	2018
 ./bin/tests/system/filter-aaaa/setup.sh		SH	2010,2012,2014,2016,2017,2018
 ./bin/tests/system/filter-aaaa/tests.sh		SH	2010,2012,2015,2016,2018
 ./bin/tests/system/formerr/clean.sh		SH	2013,2014,2015,2016,2018