diff --git a/CHANGES b/CHANGES
index c6227baf10..5a404712cb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6068.	[bug]		Downloading a zone via TLS from a server which does
+			not negotiate "dot" ALPN token could crash BIND
+			on shutdown. That has been fixed. [GL #3767]
+
 6063.	[bug]		Revert a change that limited to honour single
 			read for TLSDNS as it broke XoT. [GL #3772]
 
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index b35a3f53d3..a8d6833236 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -1234,6 +1234,8 @@ xfrin_connect_done(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 	CHECK(result);
 
 	if (!isc_nm_xfr_allowed(handle)) {
+		/* set the error code so that XFER will fail */
+		result = ISC_R_NOPERM;
 		goto failure;
 	}