diff --git a/bind-9.21-resume-qmin-cname.patch b/bind-9.21-resume-qmin-cname.patch
new file mode 100644
index 0000000..05fd4b4
--- /dev/null
+++ b/bind-9.21-resume-qmin-cname.patch
@@ -0,0 +1,44 @@
+From ac0c3b0477d97fe5c968910f603bb8d04c740da7 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 3 Jun 2025 21:00:58 +0200
+Subject: [PATCH] Handle CNAME and DNAME in resume_min in a special way
+
+When authoritative zone is loaded when query minimization query for the
+same zone is already pending, it might receive unexpected result codes.
+
+Normally DNS_R_CNAME would follow to query_cname after processing sent
+events, but dns_view_findzonecut does not fill CNAME target into
+event->foundevent. Usual lookup via query_lookup would always have that
+filled.
+
+Ideally we would restart the query with unmodified search name, if
+unexpected change from recursing to local zone cut were detected. Until
+dns_view_findzonecut is modified to export zone/cache source of the cut,
+at least fail queries which went into unexpected state.
+---
+ lib/dns/resolver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 795791246b..39a294437e 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -4497,6 +4497,15 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
+ 	if (result == DNS_R_NXDOMAIN) {
+ 		result = DNS_R_SERVFAIL;
+ 	}
++	/*
++	 * CNAME or DNAME means zone were added with that record
++	 * after the start of query minimization queries. It means
++	 * we do not have initialized correct hevent->foundname
++	 * and have to fail.
++	 */
++	if (result == DNS_R_CNAME || result == DNS_R_DNAME) {
++		result = DNS_R_SERVFAIL;
++	}
+ 
+ 	if (result != ISC_R_SUCCESS) {
+ 		goto cleanup;
+-- 
+2.49.0
+
diff --git a/bind.spec b/bind.spec
index a6daa14..1e328ed 100644
--- a/bind.spec
+++ b/bind.spec
@@ -80,7 +80,7 @@ License:  MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause
 # Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it.
 # Updating just bind will cause freeipa-dns-server package to be uninstallable.
 Version:  9.18.33
-Release:  3%{?dist}
+Release:  4%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -127,6 +127,10 @@ Patch28: bind-9.20-nsupdate-tls.patch
 Patch29: bind-9.20-nsupdate-tls-doc.patch
 # Test suport for patch28 nsupdate
 Patch30: bind-9.20-nsupdate-tls-test.patch
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10562
+# https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
+# downstream patch fixing bind-dyndb-ldap causing issue
+Patch32: bind-9.21-resume-qmin-cname.patch
 
 %{?systemd_ordering}
 # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
@@ -912,6 +916,9 @@ fi;
 %endif
 
 %changelog
+* Tue Jun 10 2025 Petr Mensik <pemensik@redhat.com> - 32:9.18.33-4
+- Prevent name.c:670 attributes assertion failed (RHEL-30407)
+
 * Thu Feb 13 2025 Thomas Woerner <twoerner@redhat.com> - 32:9.18.33-3
 - Fix upgrade of doc sub package to remove links replaced by directories
   (RHEL-48798)