This patch was derived from a source code patch provided by ISC to
resolve ISC ticket RT #43779. [9.6-ESV-R11-S10]

--- old/./CHANGES	Thu Jan 12 00:28:22 2017
+++ new/./CHANGES	Thu Jan 12 00:28:22 2017
@@ -1,5 +1,9 @@
 	--- 9.6-ESV-R11-S10 released ---
 
+4530.	[bug]		Change 4489 broke the handling of CNAME -> DNAME
+			in responses resulting in SERVFAIL being returned.
+			[RT #43779]
+
 4517.	[security]	Named could mishandle authority sections that were
 			missing RRSIGs triggering an assertion failure.
 			(CVE-2016-9444) [RT #43632]
--- old/bin/tests/system/dname/ns2/example.db	Thu Jan 12 00:28:22 2017
+++ new/bin/tests/system/dname/ns2/example.db	Thu Jan 12 00:28:22 2017
@@ -29,4 +29,6 @@
 short-dname		DNAME	short
 a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
 long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
-;
+cname			CNAME	a.cnamedname
+cnamedname		DNAME	target
+a.target		A	10.0.0.3
--- old/bin/tests/system/dname/tests.sh	Thu Jan 12 00:28:22 2017
+++ new/bin/tests/system/dname/tests.sh	Thu Jan 12 00:28:22 2017
@@ -63,6 +63,24 @@
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking cname to dname from authoritative"
+ret=0
+$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
+grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking cname to dname from recursive"
+ret=0
+$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
+grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
+grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 
 exit $status
--- old/lib/dns/resolver.c	Thu Jan 12 00:28:23 2017
+++ new/lib/dns/resolver.c	Thu Jan 12 00:28:23 2017
@@ -5776,7 +5776,7 @@
 answer_response(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
 	dns_name_t *cname = NULL;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
@@ -5784,7 +5784,7 @@
 	isc_boolean_t wanted_chaining;
 	unsigned int aflag;
 	dns_rdatatype_t type;
-	dns_fixedname_t fdname, fqname, fqdname;
+	dns_fixedname_t fdname, fqname;
 
 	FCTXTRACE("answer_response");
 
@@ -5807,12 +5807,11 @@
 		aa = ISC_TRUE;
 	else
 		aa = ISC_FALSE;
-	dqname = qname = &fctx->name;
+	qname = &fctx->name;
 	type = fctx->type;
-	dns_fixedname_init(&fqdname);
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
-		dns_namereln_t namereln, dnamereln;
+		dns_namereln_t namereln;
 
 		int order;
 		unsigned int nlabels;
@@ -5821,8 +5820,6 @@
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
-		dnamereln = dns_name_fullcompare(dqname, name, &order,
-						     &nlabels);
 		if (namereln == dns_namereln_equal) {
 			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6074,11 +6071,24 @@
 					return (DNS_R_FORMERR);
 				}
 
-				if (dnamereln != dns_namereln_subdomain) {
+				/*
+				 * If DNAME + synthetic CNAME then the
+				 * namereln is dns_namereln_subdomain.
+				 *
+				 * If synthetic CNAME + DNAME then the
+				 * namereln is dns_namereln_commonancestor
+				 * and the number of label must match the
+				 * DNAME.  This order is not RFC compliant.
+				 */
+
+				if (namereln != dns_namereln_subdomain &&
+				    (namereln != dns_namereln_commonancestor ||
+				     nlabels != dns_name_countlabels(name)))
+				{
 					char qbuf[DNS_NAME_FORMATSIZE];
 					char obuf[DNS_NAME_FORMATSIZE];
 
-					dns_name_format(dqname, qbuf,
+					dns_name_format(qname, qbuf,
 							sizeof(qbuf));
 					dns_name_format(name, obuf,
 							sizeof(obuf));
@@ -6097,7 +6107,7 @@
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
 					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset, dqname,
+					result = dname_target(rdataset, qname,
 							      nlabels, &fdname);
 					if (result == ISC_R_NOSPACE) {
 						/*
@@ -6113,8 +6123,6 @@
 						dnameset = rdataset;
 
 					dname = dns_fixedname_name(&fdname);
-					dqname = dns_fixedname_name(&fqdname);
-					dns_name_copy(dname, dqname, NULL);
 				} else {
 					/*
 					 * We've found a signature that
@@ -6261,7 +6269,8 @@
 						rdataset->trust =
 						    dns_trust_additional;
 
-					if (rdataset->type == dns_rdatatype_ns) {
+					if (rdataset->type == dns_rdatatype_ns)
+					{
 						ns_name = name;
 						ns_rdataset = rdataset;
 					}