diff --git a/CHANGES b/CHANGES
index 04a6c91376..4d9fb19374 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4107.	[bug]		Address potential deadlock when updating zone content.
+			[RT #39269]
+
 4106.	[port]		Improve readline support. [RT #38938]
 
 4105.	[port]		Misc fixes for Microsoft Visual Studio
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 0782a8fb71..5daac5b085 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -2428,6 +2428,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
 	unsigned int count, length;
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 	version->havensec3 = ISC_FALSE;
 	node = rbtdb->origin_node;
 	NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
@@ -2504,6 +2505,7 @@ setnsec3parameters(dns_db_t *db, rbtdb_version_t *version) {
  unlock:
 	NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
 		    isc_rwlocktype_read);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 }
 
 static void
@@ -2565,6 +2567,13 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 		goto end;
 	}
 
+	/*
+	 * Update the zone's secure status in version before making
+	 * it the current version.
+	 */
+	if (version->writer && commit && !IS_CACHE(rbtdb))
+		iszonesecure(db, version, rbtdb->origin_node);
+
 	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
 	serial = version->serial;
 	if (version->writer) {
@@ -2622,11 +2631,6 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 					   cleanup_version->changed_list,
 					   link);
 			}
-			/*
-			 * Update the zone's secure status.
-			 */
-			if (!IS_CACHE(rbtdb))
-				iszonesecure(db, version, rbtdb->origin_node);
 			/*
 			 * Become the current version.
 			 */