diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 92149db468..5671f3c962 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -897,6 +897,13 @@ dns_catz_zone_add(dns_catz_zones_t *catzs, const dns_name_t *name,
 
 	LOCK(&catzs->lock);
 
+	/*
+	 * This function is called only during a (re)configuration, while
+	 * 'catzs->zones' can become NULL only during shutdown.
+	 */
+	INSIST(catzs->zones != NULL);
+	INSIST(!atomic_load(&catzs->shuttingdown));
+
 	result = isc_ht_find(catzs->zones, name->ndata, name->length,
 			     (void **)&catz);
 	switch (result) {
@@ -932,6 +939,10 @@ dns_catz_zone_get(dns_catz_zones_t *catzs, const dns_name_t *name) {
 	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
 
 	LOCK(&catzs->lock);
+	if (catzs->zones == NULL) {
+		UNLOCK(&catzs->lock);
+		return (NULL);
+	}
 	result = isc_ht_find(catzs->zones, name->ndata, name->length,
 			     (void **)&found);
 	UNLOCK(&catzs->lock);
@@ -2241,6 +2252,11 @@ dns__catz_update_cb(void *data) {
 	 */
 	dns_name_toregion(&updb->origin, &r);
 	LOCK(&catzs->lock);
+	if (catzs->zones == NULL) {
+		UNLOCK(&catzs->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto exit;
+	}
 	result = isc_ht_find(catzs->zones, r.base, r.length, (void **)&oldcatz);
 	is_active = (result == ISC_R_SUCCESS && oldcatz->active);
 	UNLOCK(&catzs->lock);
diff --git a/lib/dns/include/dns/catz.h b/lib/dns/include/dns/catz.h
index 826e8df093..5d9af5e0fa 100644
--- a/lib/dns/include/dns/catz.h
+++ b/lib/dns/include/dns/catz.h
@@ -302,7 +302,8 @@ isc_result_t
 dns_catz_zone_add(dns_catz_zones_t *catzs, const dns_name_t *name,
 		  dns_catz_zone_t **catzp);
 /*%<
- * Allocate a new catz named 'name' and put it in 'catzs' collection.
+ * Allocate a new catz named 'name' and put it in 'catzs' collection. This
+ * function is safe to call only during a (re)configuration.
  *
  * Requires:
  * \li	'catzs' is a valid dns_catz_zones_t.