diff --git a/SOURCES/bind99-CVE-2016-8864.patch b/SOURCES/bind99-CVE-2016-8864.patch
new file mode 100644
index 0000000..5e54f08
--- /dev/null
+++ b/SOURCES/bind99-CVE-2016-8864.patch
@@ -0,0 +1,174 @@
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 5ef2dd6..1b987dd 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -526,7 +526,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+ 	valarg->addrinfo = addrinfo;
+ 
+ 	if (!ISC_LIST_EMPTY(fctx->validators))
+-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++		valoptions |= DNS_VALIDATOR_DEFER;
++	else
++		valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+ 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ 				      sigrdataset, fctx->rmessage,
+@@ -4872,13 +4874,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+ 							   rdataset,
+ 							   sigrdataset,
+ 							   valoptions, task);
+-					/*
+-					 * Defer any further validations.
+-					 * This prevents multiple validators
+-					 * from manipulating fctx->rmessage
+-					 * simultaneously.
+-					 */
+-					valoptions |= DNS_VALIDATOR_DEFER;
+ 				}
+ 			} else if (CHAINING(rdataset)) {
+ 				if (rdataset->type == dns_rdatatype_cname)
+@@ -4984,6 +4979,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+ 				       eresult == DNS_R_NCACHENXRRSET);
+ 			}
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -5231,6 +5231,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+ 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ 		if (event != NULL) {
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -6039,13 +6044,15 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++	dns_name_t *cname = NULL;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++	isc_boolean_t have_answer, found_cname, found_dname, found_type;
++	isc_boolean_t wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t fdname, fqname;
++	dns_fixedname_t fdname, fqname, fqdname;
+ 	dns_view_t *view;
+ 
+ 	FCTXTRACE("answer_response");
+@@ -6059,6 +6066,7 @@ answer_response(fetchctx_t *fctx) {
+ 
+ 	done = ISC_FALSE;
+ 	found_cname = ISC_FALSE;
++	found_dname = ISC_FALSE;
+ 	found_type = ISC_FALSE;
+ 	chaining = ISC_FALSE;
+ 	have_answer = ISC_FALSE;
+@@ -6068,12 +6076,13 @@ answer_response(fetchctx_t *fctx) {
+ 		aa = ISC_TRUE;
+ 	else
+ 		aa = ISC_FALSE;
+-	qname = &fctx->name;
++	dqname = qname = &fctx->name;
+ 	type = fctx->type;
+ 	view = fctx->res->view;
++	dns_fixedname_init(&fqdname);
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		dns_namereln_t namereln;
++		dns_namereln_t namereln, dnamereln;
+ 		int order;
+ 		unsigned int nlabels;
+ 
+@@ -6081,6 +6090,8 @@ answer_response(fetchctx_t *fctx) {
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++		dnamereln = dns_name_fullcompare(dqname, name, &order,
++						 &nlabels);
+ 		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6205,9 +6216,16 @@ answer_response(fetchctx_t *fctx) {
+ 						 * a CNAME or DNAME).
+ 						 */
+ 						INSIST(!external);
+-						if (aflag ==
+-						    DNS_RDATASETATTR_ANSWER) {
++						if ((rdataset->type !=
++						     dns_rdatatype_cname) ||
++						    !found_dname ||
++						    (aflag ==
++						     DNS_RDATASETATTR_ANSWER))
++						{
+ 							have_answer = ISC_TRUE;
++							if (rdataset->type ==
++							    dns_rdatatype_cname)
++								cname = name;
+ 							name->attributes |=
+ 								DNS_NAMEATTR_ANSWER;
+ 						}
+@@ -6303,11 +6321,11 @@ answer_response(fetchctx_t *fctx) {
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				if (namereln != dns_namereln_subdomain) {
++				if (dnamereln != dns_namereln_subdomain) {
+ 					char qbuf[DNS_NAME_FORMATSIZE];
+ 					char obuf[DNS_NAME_FORMATSIZE];
+ 
+-					dns_name_format(qname, qbuf,
++					dns_name_format(dqname, qbuf,
+ 							sizeof(qbuf));
+ 					dns_name_format(name, obuf,
+ 							sizeof(obuf));
+@@ -6322,7 +6340,7 @@ answer_response(fetchctx_t *fctx) {
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(rdataset, qname,
++					result = dname_target(rdataset, dqname,
+ 							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
+@@ -6339,10 +6357,13 @@ answer_response(fetchctx_t *fctx) {
+ 
+ 					dname = dns_fixedname_name(&fdname);
+ 					if (!is_answertarget_allowed(view,
+-							qname, rdataset->type,
+-							dname, &fctx->domain)) {
++						     dqname, rdataset->type,
++						     dname, &fctx->domain))
++					{
+ 						return (DNS_R_SERVFAIL);
+ 					}
++					dqname = dns_fixedname_name(&fqdname);
++					dns_name_copy(dname, dqname, NULL);
+ 				} else {
+ 					/*
+ 					 * We've found a signature that
+@@ -6367,6 +6388,10 @@ answer_response(fetchctx_t *fctx) {
+ 					INSIST(!external);
+ 					if (aflag == DNS_RDATASETATTR_ANSWER) {
+ 						have_answer = ISC_TRUE;
++						found_dname = ISC_TRUE;
++						if (cname != NULL)
++							cname->attributes &=
++							   ~DNS_NAMEATTR_ANSWER;
+ 						name->attributes |=
+ 							DNS_NAMEATTR_ANSWER;
+ 					}
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index 638582e..801e469 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -25,7 +25,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  37%{?PATCHVER}%{?PREVER}%{?dist}
+Release:  38%{?PATCHVER}%{?PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -112,6 +112,7 @@ Patch165:bind99-rh1306610.patch
 Patch166:bind99-rh1220594-geoip.patch
 Patch167:bind99-automatic-interface-scanning-rh1294506.patch
 patch168:bind99-CVE-2016-2776.patch
+patch169:bind99-CVE-2016-8864.patch
 
 # Native PKCS#11 functionality from 9.10
 Patch150:bind-9.9-allow_external_dnskey.patch
@@ -400,6 +401,7 @@ tar -xf %{SOURCE48} -C bin/tests/system/geoip/data
 
 %patch167 -p1 -b .rh1294506
 %patch168 -p1 -b .CVE-2016-2776
+%patch169 -p1 -b .CVE-2016-8864
 
 %if %{PKCS11}
 cp -r bin/named{,-pkcs11}
@@ -1079,6 +1081,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif
 
 %changelog
+* Mon Oct 31 2016 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-38
+- Fix CVE-2016-8864
+
 * Fri Sep 23 2016 Tomas Hozza <thozza@redhat.com> - 32:9.9.4-37
 - Fix CVE-2016-2776