diff --git a/CHANGES b/CHANGES
index ac78f31463..99d0488bc2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4531.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
 4629.	[bug]		dns_client_startupdate could not be called with a
 			running client. [RT #45277]
 
diff --git a/README b/README
index 83bdc52434..ad97f0c334 100644
--- a/README
+++ b/README
@@ -229,6 +229,11 @@ disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
 CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
 CVE-2017-3137, and CVE-2017-3138.
 
+BIND 9.9.11
+
+BIND 9.9.11 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140.
+
 Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/README.md b/README.md
index 7112f6aefc..e5168a854d 100644
--- a/README.md
+++ b/README.md
@@ -246,6 +246,11 @@ flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
 CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
 CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
 
+#### BIND 9.9.11
+
+BIND 9.9.11 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140.
+
 ### <a name="build"/> Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/bin/named/query.c b/bin/named/query.c
index fffe79d1eb..a1eeb6ea38 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7033,7 +7033,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
@@ -7455,7 +7455,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 46507fd1d0..c6f225dcd8 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -73,7 +73,10 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  None.
+	  With certain RPZ configurations, a response with TTL 0
+	  could cause <command>named</command> to go into an infinite
+	  query loop. This flaw is disclosed in CVE-2017-3140.
+	  [RT #45181]
 	</para>
       </listitem>
     </itemizedlist>