diff --git a/unbound-1.7.0-ref.patch b/unbound-1.7.0-ref.patch
new file mode 100644
index 0000000..94a94c2
--- /dev/null
+++ b/unbound-1.7.0-ref.patch
@@ -0,0 +1,33 @@
+--- a/iterator/iterator.c	2018-04-04 19:03:14.483416675 +0200
++++ b/iteratoriterator.c	2018-04-04 19:05:33.444712537 +0200
+@@ -2161,11 +2161,15 @@
+ 			log_dns_msg("msg from auth zone",
+ 				&iq->response->qinfo, iq->response->rep);
+ 		}
+-		iq->num_current_queries++;
+-		iq->chase_to_rd = 0;
+-		iq->dnssec_lame_query = 0;
+-		iq->auth_zone_response = 1;
+-		return next_state(iq, QUERY_RESP_STATE);
++		if((iq->chase_flags&BIT_RD) && !(iq->response->rep->flags&BIT_AA)) {
++			verbose(VERB_ALGO, "forwarder, ignoring referral from auth zone");
++		} else {
++			iq->num_current_queries++;
++			iq->chase_to_rd = 0;
++			iq->dnssec_lame_query = 0;
++			iq->auth_zone_response = 1;
++			return next_state(iq, QUERY_RESP_STATE);
++		}
+ 	}
+ 	iq->auth_zone_response = 0;
+ 	if(auth_fallback == 0) {
+@@ -2443,7 +2447,8 @@
+ 		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
+ 		iq->response, &iq->qchase, iq->dp);
+ 	iq->chase_to_rd = 0;
+-	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD)) {
++	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
++		!iq->auth_zone_response) {
+ 		/* When forwarding (RD bit is set), we handle referrals 
+ 		 * differently. No queries should be sent elsewhere */
+ 		type = RESPONSE_TYPE_ANSWER;
diff --git a/unbound.spec b/unbound.spec
index 7fb070d..0f510d4 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -21,7 +21,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.7.0
-Release: 2%{?extra_version:.%{extra_version}}%{?dist}
+Release: 3%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -43,6 +43,7 @@ Source16: unbound-munin.README
 Source17: unbound-anchor.service
 
 Patch1: unbound-1.7.0-aggrnsec.patch
+Patch2: unbound-1.7.0-ref.patch
 
 Group: System Environment/Daemons
 BuildRequires: flex, openssl-devel
@@ -142,9 +143,11 @@ Python 3 modules and extensions for unbound
 mv %{pkgname} %{pkgname}_python2
 pushd %{pkgname}_python2
 %patch1 -p1
+%patch2 -p1
 %else
 pushd %{pkgname}
 %patch1 -p1
+%patch2 -p1
 %endif # with_python
 
 # only for snapshots
@@ -439,6 +442,9 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Fri Apr 06 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-3
+- Patch for referral with auth-zone: response
+
 * Wed Mar 21 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-2
 - Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry