diff --git a/CHANGES b/CHANGES
index 1e461b986e..3e3f9a30b1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6278.	[bug]		The call to isc_mem_setwater() was incorrectly
+			removed from dns_cache_setcachesize(), causing
+			cache overmem conditions not to be detected. [GL #4340]
+
 6277.	[bug]		Take into account local authoritative zones when
 			falling back to serve-stale. [GL #4355]
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index d90427fdb8..9713e8c5db 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -66,6 +66,10 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
+- :any:`max-cache-size` accidentally became ineffective in BIND 9.19.16.
+  This has been fixed and the option now behaves as documented again.
+  :gl:`#4340`
+
 - For inline-signing zones, if the unsigned version of the zone contains
   DNSSEC records, it was scheduled to be resigning. This unwanted behavior
   has been fixed. :gl:`#4350`
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index f7c3bbef99..ed93b31c8a 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -239,6 +239,13 @@ dns_cache_getname(dns_cache_t *cache) {
 	return (cache->name);
 }
 
+/* This is a no-op, but has to exist for isc_mem_setwater(). */
+static void
+water(void *arg, int mark) {
+	UNUSED(arg);
+	UNUSED(mark);
+}
+
 void
 dns_cache_setcachesize(dns_cache_t *cache, size_t size) {
 	REQUIRE(VALID_CACHE(cache));
@@ -254,6 +261,14 @@ dns_cache_setcachesize(dns_cache_t *cache, size_t size) {
 	LOCK(&cache->lock);
 	cache->size = size;
 	UNLOCK(&cache->lock);
+
+	size_t hi = size - (size >> 3); /* Approximately 7/8ths. */
+	size_t lo = size - (size >> 2); /* Approximately 3/4ths. */
+	if (size == 0U || hi == 0U || lo == 0U) {
+		isc_mem_clearwater(cache->mctx);
+	} else {
+		isc_mem_setwater(cache->mctx, water, cache, hi, lo);
+	}
 }
 
 size_t