diff --git a/SOURCES/bind-9.11-rh1889902.patch b/SOURCES/bind-9.11-rh1889902.patch
new file mode 100644
index 0000000..390e685
--- /dev/null
+++ b/SOURCES/bind-9.11-rh1889902.patch
@@ -0,0 +1,512 @@
+commit 0f835f7eff5bbd45461b9b43276267ff3c953ece
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Fri Nov 13 10:23:42 2020 +0100
+
+    Fix inline resigning
+
+diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
+index 564c084..5cd0b05 100644
+--- a/bin/tests/system/conf.sh.in
++++ b/bin/tests/system/conf.sh.in
+@@ -69,6 +69,8 @@ LWTEST=$TOP/bin/tests/system/lwresd/lwtest
+ MAKEJOURNAL=$TOP/bin/tests/makejournal
+ PIPEQUERIES=$TOP/bin/tests/system/pipelined/pipequeries
+ SAMPLEUPDATE=$TOP/lib/samples/sample-update
++DEFAULT_ALGORITHM=ECDSAP256SHA256
++DEFAULT_BITS=256
+ 
+ # we don't want a KRB5_CONFIG setting breaking the tests
+ KRB5_CONFIG=/dev/null
+@@ -364,3 +366,5 @@ export SAMPLEUPDATE
+ export SIGNER
+ export SUBDIRS
+ export TESTSOCK6
++export DEFAULT_ALGORITHM
++export DEFAULT_BITS
+diff --git a/bin/tests/system/inline/ns8/example.com.db.in b/bin/tests/system/inline/ns8/example.com.db.in
+new file mode 100644
+index 0000000..eb39aa7
+--- /dev/null
++++ b/bin/tests/system/inline/ns8/example.com.db.in
+@@ -0,0 +1,19 @@
++; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++;
++; See the COPYRIGHT file distributed with this work for additional
++; information regarding copyright ownership.
++
++$TTL 300	; 5 minutes
++@			IN SOA	ns8 . (
++				2000042407 ; serial
++				20         ; refresh (20 seconds)
++				20         ; retry (20 seconds)
++				1814400    ; expire (3 weeks)
++				3600       ; minimum (1 hour)
++				)
++			NS	ns8
++ns8			A	10.53.0.8
+diff --git a/bin/tests/system/inline/ns8/named.conf.in b/bin/tests/system/inline/ns8/named.conf.in
+new file mode 100644
+index 0000000..ea4876b
+--- /dev/null
++++ b/bin/tests/system/inline/ns8/named.conf.in
+@@ -0,0 +1,146 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++// NS8
++
++include "../../common/rndc.key";
++
++controls {
++	inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
++};
++
++options {
++	query-source address 10.53.0.8;
++	notify-source 10.53.0.8;
++	transfer-source 10.53.0.8;
++	port @PORT@;
++	pid-file "named.pid";
++	session-keyfile "session.key";
++	listen-on { 10.53.0.8; };
++	listen-on-v6 { none; };
++	recursion no;
++	notify yes;
++	try-tcp-refresh no;
++	notify-delay 0;
++	allow-new-zones yes;
++};
++
++zone "example01.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example01.com.db";
++};
++
++zone "example02.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example02.com.db";
++};
++
++zone "example03.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example03.com.db";
++};
++
++zone "example04.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example04.com.db";
++};
++
++zone "example05.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example05.com.db";
++};
++
++zone "example06.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example06.com.db";
++};
++
++zone "example07.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example07.com.db";
++};
++
++zone "example08.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example08.com.db";
++};
++
++zone "example09.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example09.com.db";
++};
++
++zone "example10.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example10.com.db";
++};
++
++zone "example11.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example11.com.db";
++};
++
++zone "example12.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example12.com.db";
++};
++
++zone "example13.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example13.com.db";
++};
++
++zone "example14.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example14.com.db";
++};
++
++zone "example15.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example15.com.db";
++};
++
++zone "example16.com" {
++	type master;
++	inline-signing yes;
++	auto-dnssec maintain;
++	file "example16.com.db";
++};
+diff --git a/bin/tests/system/inline/ns8/sign.sh b/bin/tests/system/inline/ns8/sign.sh
+new file mode 100644
+index 0000000..5d36cb9
+--- /dev/null
++++ b/bin/tests/system/inline/ns8/sign.sh
+@@ -0,0 +1,26 @@
++#!/bin/sh -e
++#
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++
++SYSTEMTESTTOP=../..
++. $SYSTEMTESTTOP/conf.sh
++
++for zone in example01.com example02.com example03.com example04.com \
++	    example05.com example06.com example07.com example08.com \
++	    example09.com example10.com example11.com example12.com \
++	    example13.com example14.com example15.com example16.com
++do
++  rm -f K${zone}.+*+*.key
++  rm -f K${zone}.+*+*.private
++  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
++  keyname=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
++  cp example.com.db.in ${zone}.db
++  $SIGNER -S -T 3600 -O raw -o ${zone} ${zone}.db > /dev/null 2>&1
++done
+diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
+index 4dd4dd0..13dd6c7 100644
+--- a/bin/tests/system/inline/setup.sh
++++ b/bin/tests/system/inline/setup.sh
+@@ -49,7 +49,9 @@ copy_setports ns4/named.conf.in ns4/named.conf
+ copy_setports ns5/named.conf.pre ns5/named.conf
+ copy_setports ns6/named.conf.in ns6/named.conf
+ copy_setports ns7/named.conf.in ns7/named.conf
++copy_setports ns8/named.conf.in ns8/named.conf
+ 
+ (cd ns3; $SHELL -e sign.sh)
+ (cd ns1; $SHELL -e sign.sh)
+ (cd ns7; $SHELL -e sign.sh)
++(cd ns8; $SHELL -e sign.sh)
+diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
+index b517138..22fc1af 100755
+--- a/bin/tests/system/inline/tests.sh
++++ b/bin/tests/system/inline/tests.sh
+@@ -1342,5 +1342,24 @@ grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+ 
++n=`expr $n + 1`
++echo_i "checking reload of touched inline zones ($n)"
++echo_ic "pre-reload 'next key event'"
++nextpart ns8/named.run > nextpart.pre$n.out
++count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.pre$n.out | wc -l`
++echo_ic "found: $count/16"
++[ $count -eq 16 ] || ret=1
++echo_ic "touch and reload"
++touch ns8/example??.com.db
++$RNDCCMD 10.53.0.8 reload 2>&1 | sed 's/^/ns3 /' | cat_i
++sleep 5
++echo_ic "post-reload 'next key event'"
++nextpart ns8/named.run > nextpart.post$n.out
++count=`grep "zone example[0-9][0-9].com/IN (signed): next key event:" nextpart.post$n.out | wc -l`
++echo_ic "found: $count/16"
++[ $count -eq 16 ] || ret=1
++if [ $ret != 0 ]; then echo_i "failed"; fi
++status=`expr $status + $ret`
++
+ echo_i "exit status: $status"
+ [ $status -eq 0 ] || exit 1
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index 96c98d5..42a1811 100644
+--- a/lib/dns/zone.c
++++ b/lib/dns/zone.c
+@@ -3611,6 +3611,8 @@ set_resigntime(dns_zone_t *zone) {
+ 	isc_uint32_t nanosecs;
+ 	dns_db_t *db = NULL;
+ 
++	INSIST(LOCKED_ZONE(zone));
++
+ 	/* We only re-sign zones that can be dynamically updated */
+ 	if (zone->update_disabled)
+ 		return;
+@@ -4958,6 +4960,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
+ 	    DNS_ZONE_FLAG(zone->secure, DNS_ZONEFLG_LOADED))
+ 	{
+ 		DNS_ZONE_CLRFLAG(zone->secure, DNS_ZONEFLG_LOADPENDING);
++		/*
++		 * Re-start zone maintenance if it had been stalled
++		 * due to DNS_ZONEFLG_LOADPENDING being set when
++		 * zone_maintenance was called.
++		 */
++		if (zone->secure->task != NULL) {
++			zone_settimer(zone->secure, &now);
++		}
+ 	}
+ 
+ 	return (result);
+@@ -6672,14 +6682,15 @@ zone_resigninc(dns_zone_t *zone) {
+ 	if (version != NULL) {
+ 		dns_db_closeversion(db, &version, ISC_FALSE);
+ 		dns_db_detach(&db);
+-	} else if (db != NULL)
++	} else if (db != NULL) {
+ 		dns_db_detach(&db);
++	}
++
++	LOCK_ZONE(zone);
+ 	if (result == ISC_R_SUCCESS) {
+ 		set_resigntime(zone);
+-		LOCK_ZONE(zone);
+ 		zone_needdump(zone, DNS_DUMP_DELAY);
+ 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+-		UNLOCK_ZONE(zone);
+ 	} else {
+ 		/*
+ 		 * Something failed.  Retry in 5 minutes.
+@@ -6688,6 +6699,7 @@ zone_resigninc(dns_zone_t *zone) {
+ 		isc_interval_set(&ival, 300, 0);
+ 		isc_time_nowplusinterval(&zone->resigntime, &ival);
+ 	}
++	UNLOCK_ZONE(zone);
+ 
+ 	INSIST(version == NULL);
+ }
+@@ -8177,7 +8189,9 @@ zone_nsec3chain(dns_zone_t *zone) {
+ 		nsec3chain = ISC_LIST_HEAD(cleanup);
+ 	}
+ 
++	LOCK_ZONE(zone);
+ 	set_resigntime(zone);
++	UNLOCK_ZONE(zone);
+ 
+  failure:
+ 	if (result != ISC_R_SUCCESS)
+@@ -8841,14 +8855,14 @@ zone_sign(dns_zone_t *zone) {
+ 		signing = ISC_LIST_HEAD(cleanup);
+ 	}
+ 
++	LOCK_ZONE(zone);
+ 	set_resigntime(zone);
+ 
+ 	if (commit) {
+-		LOCK_ZONE(zone);
+ 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+ 		zone_needdump(zone, DNS_DUMP_DELAY);
+-		UNLOCK_ZONE(zone);
+ 	}
++	UNLOCK_ZONE(zone);
+ 
+  failure:
+ 	/*
+@@ -8885,6 +8899,7 @@ zone_sign(dns_zone_t *zone) {
+ 	} else if (db != NULL)
+ 		dns_db_detach(&db);
+ 
++	LOCK_ZONE(zone);
+ 	if (ISC_LIST_HEAD(zone->signing) != NULL) {
+ 		isc_interval_t interval;
+ 		if (zone->update_disabled || result != ISC_R_SUCCESS)
+@@ -8892,8 +8907,10 @@ zone_sign(dns_zone_t *zone) {
+ 		else
+ 			isc_interval_set(&interval, 0, 10000000); /* 10 ms */
+ 		isc_time_nowplusinterval(&zone->signingtime, &interval);
+-	} else
++ 	} else {
+ 		isc_time_settoepoch(&zone->signingtime);
++	}
++	UNLOCK_ZONE(zone);
+ 
+ 	INSIST(version == NULL);
+ }
+@@ -9983,7 +10000,7 @@ zone_maintenance(dns_zone_t *zone) {
+ 	const char me[] = "zone_maintenance";
+ 	isc_time_t now;
+ 	isc_result_t result;
+-	isc_boolean_t dumping;
++	isc_boolean_t dumping, viewok;
+ 
+ 	REQUIRE(DNS_ZONE_VALID(zone));
+ 	ENTER;
+@@ -10001,8 +10018,12 @@ zone_maintenance(dns_zone_t *zone) {
+ 	 * adb or resolver will be NULL, and we had better not try
+ 	 * to do further maintenance on it.
+ 	 */
+-	if (zone->view == NULL || zone->view->adb == NULL)
++	LOCK_ZONE(zone);
++	viewok = (zone->view != NULL && zone->view->adb != NULL);
++	UNLOCK_ZONE(zone);
++	if (!viewok) {
+ 		return;
++	}
+ 
+ 	TIME_NOW(&now);
+ 
+@@ -10195,8 +10216,14 @@ dns_zone_markdirty(dns_zone_t *zone) {
+ 		}
+ 
+ 		/* XXXMPA make separate call back */
+-		if (result == ISC_R_SUCCESS)
++		if (result == ISC_R_SUCCESS) {
+ 			set_resigntime(zone);
++			if (zone->task != NULL) {
++				isc_time_t now;
++				TIME_NOW(&now);
++				zone_settimer(zone, &now);
++			}
++		}
+ 	}
+ 	if (secure != NULL)
+ 		UNLOCK_ZONE(secure);
+@@ -14418,6 +14445,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
+ 	zone->sourceserialset = ISC_TRUE;
+ 	zone_needdump(zone, DNS_DUMP_DELAY);
+ 
++	/*
++	 * Set resign time to make sure it is set to the earliest
++	 * signature expiration.
++	 */
++	set_resigntime(zone);
+ 	TIME_NOW(&timenow);
+ 	zone_settimer(zone, &timenow);
+ 	UNLOCK_ZONE(zone);
+@@ -14436,9 +14468,15 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
+ 
+ 	if (zone->rss_raw != NULL)
+ 		dns_zone_detach(&zone->rss_raw);
+-	if (result != ISC_R_SUCCESS)
++	if (result != ISC_R_SUCCESS) {
++		LOCK_ZONE(zone);
++		set_resigntime(zone);
++		TIME_NOW(&timenow);
++		zone_settimer(zone, &timenow);
++		UNLOCK_ZONE(zone);
+ 		dns_zone_log(zone, ISC_LOG_ERROR, "receive_secure_serial: %s",
+ 			     dns_result_totext(result));
++	}
+ 	if (tuple != NULL)
+ 		dns_difftuple_free(&tuple);
+ 	if (soatuple != NULL)
+@@ -18096,10 +18134,11 @@ zone_rekey(dns_zone_t *zone) {
+ 
+ 	dns_db_closeversion(db, &ver, ISC_TRUE);
+ 
++	LOCK_ZONE(zone);
++
+ 	if (commit) {
+ 		dns_difftuple_t *tuple;
+ 
+-		LOCK_ZONE(zone);
+ 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+ 
+ 		zone_needdump(zone, DNS_DUMP_DELAY);
+@@ -18217,7 +18256,6 @@ zone_rekey(dns_zone_t *zone) {
+ 		 * Schedule the next resigning event
+ 		 */
+ 		set_resigntime(zone);
+-		UNLOCK_ZONE(zone);
+ 	}
+ 
+ 	isc_time_settoepoch(&zone->refreshkeytime);
+@@ -18231,11 +18269,9 @@ zone_rekey(dns_zone_t *zone) {
+ 		isc_time_t timethen;
+ 		isc_stdtime_t then;
+ 
+-		LOCK_ZONE(zone);
+ 		DNS_ZONE_TIME_ADD(&timenow, zone->refreshkeyinterval,
+ 				  &timethen);
+ 		zone->refreshkeytime = timethen;
+-		UNLOCK_ZONE(zone);
+ 
+ 		for (key = ISC_LIST_HEAD(dnskeys);
+ 		     key != NULL;
+@@ -18246,12 +18282,10 @@ zone_rekey(dns_zone_t *zone) {
+ 				continue;
+ 
+ 			DNS_ZONE_TIME_ADD(&timenow, then - now, &timethen);
+-			LOCK_ZONE(zone);
+ 			if (isc_time_compare(&timethen,
+ 					     &zone->refreshkeytime) < 0) {
+ 				zone->refreshkeytime = timethen;
+ 			}
+-			UNLOCK_ZONE(zone);
+ 		}
+ 
+ 		zone_settimer(zone, &timenow);
+@@ -18259,6 +18293,7 @@ zone_rekey(dns_zone_t *zone) {
+ 		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+ 		dns_zone_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf);
+ 	}
++	UNLOCK_ZONE(zone);
+ 
+  done:
+ 	dns_diff_clear(&diff);
+@@ -18293,8 +18328,10 @@ zone_rekey(dns_zone_t *zone) {
+ 	 * Something went wrong; try again in ten minutes or
+ 	 * after a key refresh interval, whichever is shorter.
+ 	 */
++	LOCK_ZONE(zone);
+ 	isc_interval_set(&ival, ISC_MIN(zone->refreshkeyinterval, 600), 0);
+ 	isc_time_nowplusinterval(&zone->refreshkeytime, &ival);
++	UNLOCK_ZONE(zone);
+ 	goto done;
+ }
+ 
diff --git a/SPECS/bind.spec b/SPECS/bind.spec
index b3c535a..d1a4813 100644
--- a/SPECS/bind.spec
+++ b/SPECS/bind.spec
@@ -64,7 +64,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.11.4
-Release:  26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.2
+Release:  26%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}.3
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 #
@@ -176,6 +176,7 @@ Patch189: bind-9.11-CVE-2020-8622.patch
 Patch190: bind-9.11-CVE-2020-8623.patch
 Patch191: bind-9.11-CVE-2020-8624.patch
 Patch192: bind98-rh1769876.patch
+Patch193: bind-9.11-rh1889902.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -545,6 +546,7 @@ are used for building ISC DHCP.
 %patch190 -p1 -b .CVE-2020-8623
 %patch191 -p1 -b .CVE-2020-8624
 %patch192 -p1 -b .rh1769876
+%patch193 -p1 -b .rh1889902
 
 # Override upstream builtin keys
 cp -fp %{SOURCE29} bind.keys
@@ -1526,6 +1528,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Fri Nov 06 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.4-26.P2.3
+- Fix inline re-signing (#rh1889902)
+
 * Fri Oct 02 2020 Tomas Korbar <tkorbar@redhat.com> - 32:9.11.4-26.P2.2
 - Fix unsupported algorithms validation (#rh1769876)