diff --git a/bind-9.18-partial-additional-records.patch b/bind-9.18-partial-additional-records.patch
new file mode 100644
index 0000000..5aaf66f
--- /dev/null
+++ b/bind-9.18-partial-additional-records.patch
@@ -0,0 +1,54 @@
+From 9140eac85cda21fa86f2768f7ccaf6800776c726 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 19 Jun 2025 19:51:43 +0200
+Subject: [PATCH] Limit number of additional records fetched
+
+Limit number of started fetches for additional zone instead of doing
+none. Keep limit of NS filled with additional records, but present at
+least some if possible.
+
+Might help broken implementations relying on receiving addresses in the
+response for NS query in authoritative zone.
+---
+ lib/dns/rdataset.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
+index ffe6163..cfdb7d5 100644
+--- a/lib/dns/rdataset.c
++++ b/lib/dns/rdataset.c
+@@ -586,6 +586,7 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ 			    dns_additionaldatafunc_t add, void *arg, size_t limit) {
+ 	dns_rdata_t rdata = DNS_RDATA_INIT;
+ 	isc_result_t result;
++	size_t n = 0;
+ 
+ 	/*
+ 	 * For each rdata in rdataset, call 'add' for each name and type in the
+@@ -595,10 +596,6 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ 	REQUIRE(DNS_RDATASET_VALID(rdataset));
+ 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ 
+-	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+-		return DNS_R_TOOMANYRECORDS;
+-	}
+-
+ 	result = dns_rdataset_first(rdataset);
+ 	if (result != ISC_R_SUCCESS) {
+ 		return (result);
+@@ -608,7 +605,11 @@ dns_rdataset_additionaldata2(dns_rdataset_t *rdataset,
+ 		dns_rdataset_current(rdataset, &rdata);
+ 		result = dns_rdata_additionaldata(&rdata, add, arg);
+ 		if (result == ISC_R_SUCCESS) {
+-			result = dns_rdataset_next(rdataset);
++			if (limit != 0 && ++n >= limit) {
++				result = DNS_R_TOOMANYRECORDS;
++			} else {
++				result = dns_rdataset_next(rdataset);
++			}
+ 		}
+ 		dns_rdata_reset(&rdata);
+ 	} while (result == ISC_R_SUCCESS);
+-- 
+2.49.0
+
diff --git a/bind.spec b/bind.spec
index b5daf6b..8050f49 100644
--- a/bind.spec
+++ b/bind.spec
@@ -56,7 +56,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  29%{?dist}
+Release:  30%{?dist}
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -185,6 +185,7 @@ Patch216: bind-9.18-CVE-2024-11187.patch
 Patch217: bind-9.21-resume-qmin-cname.patch
 # downstream only, extra check for above change, RHEL-30407
 Patch218: bind-9.18-query-fname-relative.patch
+Patch219: bind-9.18-partial-additional-records.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -1229,6 +1230,9 @@ fi;
 %endif
 
 %changelog
+* Fri Jun 20 2025 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-30
+- Change additional NS to be served partially (RHEL-84006)
+
 * Tue Jun 10 2025 Petr Menšík <pemensik@redhat.com> - 32:9.18.23-29
 - Prevent name.c:670 attributes assertion failed (RHEL-30407)
 - Add extra checks for relative names