diff --git a/CHANGES b/CHANGES
index f3c93a9974..3ebd640426 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4531.	[security]	Some RPZ configurations could go into an infinite
+			query loop when encountering responses with TTL=0.
+			(CVE-2017-3140) [RT #45181]
+
 4629.	[bug]		dns_client_startupdate could not be called with a
 			running client. [RT #45277]
 
diff --git a/README b/README
index 1c699cece5..82eb15e370 100644
--- a/README
+++ b/README
@@ -261,6 +261,11 @@ disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
 CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
 CVE-2017-3137, and CVE-2017-3138.
 
+BIND 9.10.6
+
+BIND 9.10.6 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140.
+
 Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/README.md b/README.md
index f02202603f..06a342aa9c 100644
--- a/README.md
+++ b/README.md
@@ -275,6 +275,11 @@ disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
 CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
 CVE-2017-3137, and CVE-2017-3138.
 
+#### BIND 9.10.6
+
+BIND 9.10.6 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3140.
+
 ### <a name="build"/> Building BIND
 
 BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
diff --git a/bin/named/query.c b/bin/named/query.c
index d1bcb5c8c6..962cf2cd3f 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7651,7 +7651,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
@@ -8093,7 +8093,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * If we have a zero ttl from the cache refetch it.
 		 */
-		if (!is_zone && event == NULL && rdataset->ttl == 0 &&
+		if (!is_zone && !resuming && rdataset->ttl == 0 &&
 		    RECURSIONOK(client))
 		{
 			if (dns_rdataset_isassociated(rdataset))
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 3f1c6d8cfd..14fe88d407 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -71,7 +71,10 @@
     <itemizedlist>
       <listitem>
 	<para>
-	  None.
+	  With certain RPZ configurations, a response with TTL 0
+	  could cause <command>named</command> to go into an infinite
+	  query loop. This flaw is disclosed in CVE-2017-3140.
+	  [RT #45181]
 	</para>
       </listitem>
     </itemizedlist>