diff --git a/CHANGES b/CHANGES
index 855a42e48b..902e52fbd8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -16,7 +16,9 @@
 
 5480.	[placeholder]
 
-5479.	[placeholder]
+5479.	[security]	named could crash in certain query resolution scenarios
+			where QNAME minimization and forwarding were both
+			enabled. (CVE-2020-8621) [GL #1997]
 
 5478.	[security]	It was possible to trigger an assertion failure by
 			sending a specially crafted large TCP DNS message.
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 0b21089508..7fc7d91bd8 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -20,6 +20,15 @@ Security Fixes
   ISC would like to thank Emanuel Almeida of Cisco Systems, Inc. for
   bringing this vulnerability to our attention. [GL #1996]
 
+- ``named`` could crash after failing an assertion check in certain
+  query resolution scenarios where QNAME minimization and forwarding
+  were both enabled. To prevent such crashes, QNAME minimization is now
+  always disabled for a given query resolution process, if forwarders
+  are used at any point. This was disclosed in CVE-2020-8621.
+
+  ISC would like to thank Joseph Gullo for bringing this vulnerability
+  to our attention. [GL #1997]
+
 Known Issues
 ~~~~~~~~~~~~
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 21f8d96e0e..df43b0a09a 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4013,6 +4013,15 @@ fctx_nextaddress(fetchctx_t *fctx) {
 			addrinfo->flags |= FCTX_ADDRINFO_MARK;
 			fctx->find = NULL;
 			fctx->forwarding = true;
+
+			/*
+			 * QNAME minimization is disabled when
+			 * forwarding, and has to remain disabled if
+			 * we switch back to normal recursion; otherwise
+			 * forwarding could leave us in an inconsistent
+			 * state.
+			 */
+			fctx->minimized = false;
 			return (addrinfo);
 		}
 	}