diff --git a/doc/Changelog b/doc/Changelog
index 59541fa34..67f89849d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,7 @@
 	  to correct RFC number.
 	- Fix Assert Causing DoS in synth_cname(),
 	  reported by X41 D-Sec.
+	- Fix similar code in auth_zone synth cname to add the extra checks.
 
 2 December 2019: Wouter
 	- Merge pull request #122 from he32: In tcp_callback_writer(),
diff --git a/services/authzone.c b/services/authzone.c
index b59a7334c..7d806d9d5 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -2380,6 +2380,10 @@ create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
 		return 0; /* rdatalen in DNAME rdata is malformed */
 	if(dname_valid(dtarg, dtarglen) != dtarglen)
 		return 0; /* DNAME RR has malformed rdata */
+	if(qname_len == 0)
+		return 0; /* too short */
+	if(qname_len <= node->namelen)
+		return 0; /* qname too short for dname removal */
 
 	/* synthesize a CNAME */
 	newlen = synth_cname_buf(qname, qname_len, node->namelen,