diff --git a/CHANGES b/CHANGES
index 0a25c5e6f7..e95a36773d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -67,6 +67,11 @@
 4513.	[cleanup]	Minimum Python versions are now 2.7 and 3.2.
 			[RT #43566]
 
+4510.	[security]	Named mishandled some responses where covering RRSIG
+			records are returned without the requested data
+			resulting in a assertion failure. (CVE-2016-9147)
+			[RT #43548]
+
 4509.	[test]		Make the rrl system test more reliable on slower
 			machines by using mdig instead of dig. [RT #43280]
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index cf3f663686..e3b4d8f901 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6645,15 +6645,19 @@ answer_response(fetchctx_t *fctx) {
 						 * a CNAME or DNAME).
 						 */
 						INSIST(!external);
-						if ((rdataset->type !=
-						     dns_rdatatype_cname) ||
-						    !found_dname ||
-						    (aflag ==
-						     DNS_RDATASETATTR_ANSWER))
+						/*
+						 * Don't use found_cname here
+						 * as we have just set it
+						 * above.
+						 */
+						if (cname == NULL &&
+						    !found_dname &&
+						    aflag ==
+						     DNS_RDATASETATTR_ANSWER)
 						{
 							have_answer = ISC_TRUE;
-							if (rdataset->type ==
-							    dns_rdatatype_cname)
+							if (found_cname &&
+							    cname == NULL)
 								cname = name;
 							name->attributes |=
 							    DNS_NAMEATTR_ANSWER;