diff --git a/CHANGES b/CHANGES
index 3f7bc28aaa..7b0d6368b8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4531.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
 4530.	[bug]		"dyndb" is dependent on dlopen existing / being
 			enabled. [RT #45291]
 
diff --git a/README b/README
index abce8e15e9..88438e0cd4 100644
--- a/README
+++ b/README
@@ -222,6 +222,13 @@ disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147,
 CVE-2016-9444, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, CVE-2017-3137
 and CVE-2017-3138.
 
+BIND 9.11.2
+
+BIND 9.11.1 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140. It also addresses several bugs related to the
+use of an LMDB database to store data related to zones added via rndc
+addzone or catalog zones.
+
 Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/README.md b/README.md
index d906268549..a85f9a410b 100644
--- a/README.md
+++ b/README.md
@@ -234,6 +234,13 @@ flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
 CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135,
 CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138.
 
+#### BIND 9.11.2
+
+BIND 9.11.1 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140. It also addresses several bugs related to
+the use of an LMDB database to store data related to zones added via
+`rndc addzone` or catalog zones.
+
 ### <a name="build"/> Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/bin/named/query.c b/bin/named/query.c
index cbaf648dd5..a7af1372f3 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -8102,7 +8102,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
@@ -8574,7 +8574,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index a8ed9465f8..8202ca4062 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -95,7 +95,10 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  None.
+	  With certain RPZ configurations, a response with TTL 0
+	  could cause <command>named</command> to go into an infinite
+	  query loop. This flaw is disclosed in CVE-2017-3140.
+	  [RT #45181]
 	</para>
       </listitem>
     </itemizedlist>