diff --git a/CHANGES b/CHANGES
index a295722d10..9e503a9f2b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -51,6 +51,11 @@
 
 5201.	[bug]		Fix a possible deadlock in RPZ update code. [GL #973]
 
+5199.	[security]	In certain configurations, named could crash
+			if nxdomain-redirect was in use and a redirected
+			query resulted in an NXDOMAIN from the cache.
+			(CVE-2019-6467) [GL #880]
+
 5198.	[bug]		If a fetch context was being shut down and, at the same
 			time, we returned from qname minimization, an INSIST
 			could be hit. [GL #966]
diff --git a/bin/tests/system/redirect/clean.sh b/bin/tests/system/redirect/clean.sh
index 27a65d2a5e..b8bba0d107 100644
--- a/bin/tests/system/redirect/clean.sh
+++ b/bin/tests/system/redirect/clean.sh
@@ -27,5 +27,10 @@ rm -f ns3/dsset-signed.
 rm -f ns3/nsec3.db*
 rm -f ns3/signed.db*
 rm -f ns4/*.db
+rm -f ns5/dsset-*
+rm -f ns5/K* ns5/sign.ns5.*
+rm -f ns5/root.db ns5/root.db.signed
+rm -f ns5/signed.db ns5/signed.db.signed
+rm -f ns6/signed.db.signed
 rm -f rndc.out
 rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/redirect/ns1/root.db b/bin/tests/system/redirect/ns1/root.db
index 532063c05c..7b8caea29a 100644
--- a/bin/tests/system/redirect/ns1/root.db
+++ b/bin/tests/system/redirect/ns1/root.db
@@ -11,7 +11,7 @@ $TTL 3600
 @		SOA	a.root-servers.nil. marka.isc.org. 0 0 0 0 0
 @		NS	a.root-servers.nil.
 a.root-servers.nil.      A   10.53.0.1
-example 	NS	ns1.example.
+example		NS	ns1.example.
 ns1.example.	A	10.53.0.1
 signed		NS	ns1.example.
 ns1.signed.	A	10.53.0.1
diff --git a/bin/tests/system/redirect/ns4/named.conf.in b/bin/tests/system/redirect/ns4/named.conf.in
index 70f0df07f6..bb421688e8 100644
--- a/bin/tests/system/redirect/ns4/named.conf.in
+++ b/bin/tests/system/redirect/ns4/named.conf.in
@@ -16,7 +16,7 @@ controls { /* empty */ };
 acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
 
 options {
-	query-source address 10.53.0.2;	/* note this is not 10.53.0.3 */
+	query-source address 10.53.0.2;	/* note this is not 10.53.0.4 */
 	notify-source 10.53.0.4;
 	transfer-source 10.53.0.4;
 	port @PORT@;
@@ -28,7 +28,6 @@ options {
 	dnssec-enable yes;
 	dnssec-validation yes;
 	nxdomain-redirect "redirect";
-
 };
 
 key rndc_key {
diff --git a/bin/tests/system/redirect/ns5/named.conf.in b/bin/tests/system/redirect/ns5/named.conf.in
new file mode 100644
index 0000000000..e06deb02a9
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	port @PORT@;
+	listen-on port @PORT@ { 10.53.0.5; };
+	pid-file "named.pid";
+	nxdomain-redirect signed;
+};
+
+zone "." {
+        type master;
+        file "root.db.signed";
+};
+
+// An unsigned zone that ns6 has a delegation for.
+zone "unsigned." {
+        type master;
+        file "unsigned.db";
+};
diff --git a/bin/tests/system/redirect/ns5/root.db.in b/bin/tests/system/redirect/ns5/root.db.in
new file mode 100644
index 0000000000..90c634706b
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/root.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			86400	IN	SOA	a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.nil.
+a.root-servers.nil.	518400	IN	A	10.53.0.5
+signed.			172800	IN	NS	ns.signed.
+ns.signed.		172800	IN	A	10.53.0.6
+unsigned.		172800	IN	NS	ns.unsigned.
+ns.unsigned.		172800	IN	A	10.53.0.5
diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh
new file mode 100644
index 0000000000..e26904a6b2
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/sign.sh
@@ -0,0 +1,43 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# We sign the zone here and move the signed zone to ns6.
+# The ns5 server actually does not serve this zone but
+# the DS and NS records are in the test root zone, and
+# delegate to ns6.
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db
+
+key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null`
+key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1
+
+cp signed.db.signed ../ns6
+
+# Root zone.
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null`
+key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
+
+# cat $infile $key1.key $key2.key > $zonefile
+cat $infile dsset-signed. $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1
diff --git a/bin/tests/system/redirect/ns5/signed.db.in b/bin/tests/system/redirect/ns5/signed.db.in
new file mode 100644
index 0000000000..8884120b6c
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/signed.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns.signed. hostmaster.signed. 0 0 0 0 0
+@			IN NS	ns.signed.
+
+ns.signed.		IN A	10.0.53.6
+domain.signed.		IN A	10.0.53.1
+
+*			IN A	100.100.100.1
+*			IN AAAA	2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns5/unsigned.db b/bin/tests/system/redirect/ns5/unsigned.db
new file mode 100644
index 0000000000..0f0604d79e
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/unsigned.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns.unsigned. hostmaster.unsigned. 0 0 0 0 0
+@			IN NS	ns.unsigned.
+
+ns.unsigned.		IN A	10.53.0.6
+domain.unsigned.	IN A	10.0.53.1
+
+*			IN A	100.100.100.1
+*			IN AAAA	2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns6/named.conf.in b/bin/tests/system/redirect/ns6/named.conf.in
new file mode 100644
index 0000000000..bca355c3ea
--- /dev/null
+++ b/bin/tests/system/redirect/ns6/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	port @PORT@;
+	listen-on port @PORT@ { 10.53.0.6; };
+	pid-file "named.pid";
+	nxdomain-redirect unsigned;
+};
+
+zone "." {
+        type master;
+        file "root.db";
+};
+
+// A signed zone that ns5 has a delegation for.
+zone "signed." {
+        type master;
+        file "signed.db.signed";
+};
diff --git a/bin/tests/system/redirect/ns6/root.db b/bin/tests/system/redirect/ns6/root.db
new file mode 100644
index 0000000000..5e78d23ea2
--- /dev/null
+++ b/bin/tests/system/redirect/ns6/root.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			86400	IN	SOA	a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.nil.
+a.root-servers.nil.	518400	IN	A	10.53.0.6
+signed.			172800	IN	NS	ns.signed.
+ns.signed.		172800	IN	A	10.53.0.6
+unsigned.		172800	IN	NS	ns.unsigned.
+ns.unsigned.		172800	IN	A	10.53.0.5
diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh
index c5400205f2..cad235bd43 100644
--- a/bin/tests/system/redirect/setup.sh
+++ b/bin/tests/system/redirect/setup.sh
@@ -18,6 +18,8 @@ copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
 
 cp ns2/redirect.db.in ns2/redirect.db
 cp ns2/example.db.in ns2/example.db
@@ -25,3 +27,4 @@ cp ns2/example.db.in ns2/example.db
 
 cp ns4/example.db.in ns4/example.db
 ( cd ns3 && $SHELL sign.sh )
+( cd ns5 && $SHELL sign.sh )
diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh
index 9eb6b42462..810e43e8d8 100644
--- a/bin/tests/system/redirect/tests.sh
+++ b/bin/tests/system/redirect/tests.sh
@@ -517,5 +517,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "checking tld nxdomain-redirect against signed root zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 37ff53a7ac..225a68245e 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -86,6 +86,19 @@
     </para>
   </section>
 
+  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+	  In certain configurations, <command>named</command> could crash
+	  with an assertion failure if <command>nxdomain-redirect</command>
+	  was in use and a redirected query resulted in an NXDOMAIN from the
+	  cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
+	</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
   <section xml:id="relnotes_features"><info><title>New Features</title></info>
     <itemizedlist>
       <listitem>
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 93c532c529..4576f59354 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -1312,7 +1312,6 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 	    dns_dbversion_t **versionp, bool *is_zonep)
 {
 	isc_result_t result;
-
 	isc_result_t tresult;
 	unsigned int namelabels;
 	unsigned int zonelabels;
@@ -1329,8 +1328,9 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 				 dbp, versionp);
 
 	/* See how many labels are in the zone's name.	  */
-	if (result == ISC_R_SUCCESS && zone != NULL)
+	if (result == ISC_R_SUCCESS && zone != NULL) {
 		zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
+	}
 
 	/*
 	 * If # zone labels < # name labels, try to find an even better match
@@ -1397,8 +1397,11 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 		 * If neither attempt above succeeded, return the cache instead
 		 */
 		*is_zonep = true;
-	} else if (result == ISC_R_NOTFOUND) {
-		result = query_getcachedb(client, name, qtype, dbp, options);
+	} else {
+		if (result == ISC_R_NOTFOUND) {
+			result = query_getcachedb(client, name, qtype, dbp,
+						  options);
+		}
 		*is_zonep = false;
 	}
 	return (result);
@@ -4805,11 +4808,13 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 
 	CTRACE(ISC_LOG_DEBUG(3), "redirect2");
 
-	if (client->view->redirectzone == NULL)
+	if (client->view->redirectzone == NULL) {
 		return (ISC_R_NOTFOUND);
+	}
 
-	if (dns_name_issubdomain(name, client->view->redirectzone))
+	if (dns_name_issubdomain(name, client->view->redirectzone)) {
 		return (ISC_R_NOTFOUND);
+	}
 
 	found = dns_fixedname_initname(&fixed);
 	dns_rdataset_init(&trdataset);
@@ -4817,8 +4822,9 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
 	dns_clientinfo_init(&ci, client, NULL);
 
-	if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
+	if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) {
 		return (ISC_R_NOTFOUND);
+	}
 
 	if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
 		if (rdataset->trust == dns_trust_secure)
@@ -4855,16 +4861,19 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
 					      redirectname, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (ISC_R_NOTFOUND);
-	} else
+	} else {
 		dns_name_copy(redirectname, client->view->redirectzone, NULL);
+	}
 
 	options = 0;
 	result = query_getdb(client, redirectname, qtype, options, &zone,
 			     &db, &version, &is_zone);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		return (ISC_R_NOTFOUND);
-	if (zone != NULL)
+	}
+	if (zone != NULL) {
 		dns_zone_detach(&zone);
+	}
 
 	/*
 	 * Lookup the requested data in the redirect zone.
@@ -5522,7 +5531,6 @@ query_lookup(query_ctx_t *qctx) {
 			return (ns_query_done(qctx));
 		}
 	}
-
 	return (query_gotanswer(qctx, result));
 
  cleanup:
@@ -5914,7 +5922,6 @@ query_resume(query_ctx_t *qctx) {
 		RESTORE(qctx->zone, qctx->client->query.redirect.zone);
 		qctx->authoritative =
 			qctx->client->query.redirect.authoritative;
-		qctx->is_zone = qctx->client->query.redirect.is_zone;
 
 		/*
 		 * Free resources used while recursing.
@@ -6023,7 +6030,6 @@ query_resume(query_ctx_t *qctx) {
 			    ISC_EVENT_PTR(&qctx->event), &qctx->event);
 	} else if (REDIRECT(qctx->client)) {
 		result = qctx->client->query.redirect.result;
-		qctx->is_zone = qctx->client->query.redirect.is_zone;
 	} else {
 		result = qctx->event->result;
 	}
diff --git a/util/copyrights b/util/copyrights
index 3985b6d546..20a7fd1085 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -914,6 +914,7 @@
 ./bin/tests/system/redirect/clean.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019
 ./bin/tests/system/redirect/ns1/sign.sh		SH	2011,2012,2014,2016,2017,2018,2019
 ./bin/tests/system/redirect/ns3/sign.sh		SH	2015,2016,2017,2018,2019
+./bin/tests/system/redirect/ns5/sign.sh		SH	2019
 ./bin/tests/system/redirect/setup.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019
 ./bin/tests/system/redirect/tests.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019
 ./bin/tests/system/resolver/ans2/ans.pl		PERL	2000,2001,2004,2007,2009,2010,2012,2016,2018,2019