diff --git a/bind-9.16-CVE-2024-1737-runtime-env.patch b/bind-9.16-CVE-2024-1737-runtime-env.patch
new file mode 100644
index 0000000..11956a1
--- /dev/null
+++ b/bind-9.16-CVE-2024-1737-runtime-env.patch
@@ -0,0 +1,133 @@
+From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Mon, 29 Jul 2024 16:20:50 +0200
+Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
+
+Modify rbtdb to not set it only at runtime, but allow setting that also
+in runtime via environment variable. It is still possible to modify
+default during the build define. In addition to it allows runtime change
+also. Can be positive number to set limit, 0 disabled the check.
+
+Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
+records for a single name. This must be positive number, 0 is no accepted.
+
+These replaces max-records-per-type and max-types-per-name in later
+versions. But can be configured only by environment and can be
+configured only globally, not in each view or zone.
+---
+ lib/dns/rbtdb.c     | 21 +++++++++++++++++++--
+ lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 41 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index e840c06..25242b2 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
+ #define DNS_RBTDB_MAX_RTYPES 100
+ #endif /* DNS_RBTDB_MAX_RTYPES */
+ 
++static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
++
++static void
++init_max_rtypes(void) {
++	/* Red Hat change, allow setting different max value by environment. */
++	const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
++	if (max) {
++		char *endp = NULL;
++		long l = strtol(max, &endp, 10);
++		if (max != endp && endp && !*endp && l >= 0)
++			dns_g_rbtdb_max_rtypes = l;
++	}
++}
++
+ static bool
+ overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ 	UNUSED(rbtdb);
+ 
+-	if (DNS_RBTDB_MAX_RTYPES == 0) {
++	if (dns_g_rbtdb_max_rtypes == 0) {
+ 		return (false);
+ 	}
+ 
+-	return (ntypes >= DNS_RBTDB_MAX_RTYPES);
++	return (ntypes >= dns_g_rbtdb_max_rtypes);
+ }
+ 
+ static bool
+@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
+ 					 NULL,
+ 					 adjusthashsize };
+ 
++static isc_once_t once_db = ISC_ONCE_INIT;
++
+ isc_result_t
+ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+ 		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
+ 
+ 	/* Keep the compiler happy. */
+ 	UNUSED(driverarg);
++	RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
+ 
+ 	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
+ 
+diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
+index dda9038..cef86af 100644
+--- a/lib/dns/rdataslab.c
++++ b/lib/dns/rdataslab.c
+@@ -15,6 +15,7 @@
+ #include <stdlib.h>
+ 
+ #include <isc/mem.h>
++#include <isc/once.h>
+ #include <isc/region.h>
+ #include <isc/string.h> /* Required for HP/UX (and others?) */
+ #include <isc/util.h>
+@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
+ #define DNS_RDATASET_MAX_RECORDS 100
+ #endif /* DNS_RDATASET_MAX_RECORDS */
+ 
++static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
++static isc_once_t once = ISC_ONCE_INIT;
++
++static void
++init_max_records(void) {
++	/* Red Hat change, allow setting different max value by environment. */
++	const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
++	if (max) {
++		char *endp = NULL;
++		long l = strtol(max, &endp, 10);
++		if (max != endp && endp && !*endp && l > 0)
++			dns_g_rdataset_max_records = l;
++	}
++}
++
++
++
+ isc_result_t
+ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 			   isc_region_t *region, unsigned int reservelen) {
+@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+ 		return (ISC_R_SUCCESS);
+ 	}
+ 
+-	if (nitems > DNS_RDATASET_MAX_RECORDS) {
++	RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
++
++	if (nitems > dns_g_rdataset_max_records) {
+ 		return (DNS_R_TOOMANYRECORDS);
+ 	}
+ 
+@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+ #endif /* if DNS_RDATASET_FIXED */
+ 	INSIST(ocount > 0 && ncount > 0);
+ 
+-	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
++	if (ocount + ncount > dns_g_rdataset_max_records) {
+ 		return (DNS_R_TOOMANYRECORDS);
+ 	}
+ 
+-- 
+2.45.2
+
diff --git a/bind.spec b/bind.spec
index 7601a64..58b1962 100644
--- a/bind.spec
+++ b/bind.spec
@@ -163,6 +163,8 @@ Patch206: bind-9.16-CVE-2024-1975.patch
 Patch207: bind-9.16-CVE-2024-1737.patch
 # https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
 Patch208: bind-9.18-CVE-2024-4076.patch
+# RH downstream, allow changing by environment
+Patch209: bind-9.16-CVE-2024-1737-runtime-env.patch
 
 %{?systemd_ordering}
 Requires:       coreutils
@@ -503,6 +505,7 @@ in HTML and PDF format.
 %patch206 -p1 -b .CVE-2024-1975
 %patch207 -p1 -b .CVE-2024-1737
 %patch208 -p1 -b .CVE-2024-4076
+%patch209 -p1 -b .CVE-2024-1737-env
 
 %if %{with PKCS11}
 %patch135 -p1 -b .config-pkcs11
@@ -1235,6 +1238,7 @@ fi;
 - Resolve CVE-2024-1975
 - Resolve CVE-2024-1737
 - Resolve CVE-2024-4076
+- Add ability to change runtime limits for max types and records per name
 
 * Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
 - Increase size of hazard pointer array (RHEL-39131)