From 764240ca07ab1b796226d5402ccd9fbfa77ec32a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 15 Feb 2017 12:18:51 +1100
Subject: [PATCH] 4575.   [security]      Dns64 with break-dnssec yes; can
 result in a                         assertion failure. (CVE-2017-3136) [RT
 #44653]

(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)
---
 CHANGES           | 2 ++
 bin/named/query.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 2cf758ef8e..031ce8f150 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+4575.	[security]	Dns64 with break-dnssec yes; can result in a
+			assertion failure. (CVE-2017-3136) [RT #44653]
 
 	--- 9.10.5rc1 released ---
 
diff --git a/bin/named/query.c b/bin/named/query.c
index a190f7c587..f252200628 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -8257,6 +8257,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			result = query_dns64(client, &fname, rdataset,
 					     sigrdataset, dbuf,
 					     DNS_SECTION_ANSWER);
+			noqname = NULL;
 			dns_rdataset_disassociate(rdataset);
 			dns_message_puttemprdataset(client->message, &rdataset);
 			if (result == ISC_R_NOMORE) {