diff --git a/CHANGES b/CHANGES
index cf80f1cbd3..00a2e5b069 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+ 766.	[bug]		A few cases in query_find() could leak fname.
+			This would trigger the mpctx->allocated == 0
+			assertion when the server exited.  [RT #935]
+
  765.	[func]		ACL names are once again case insensitive, like
 			in BIND 8. [RT #252]
 
diff --git a/bin/named/query.c b/bin/named/query.c
index 9b5ce71732..a60a583c51 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.183 2001/02/18 21:20:29 bwelling Exp $ */
+/* $Id: query.c,v 1.184 2001/03/05 21:38:20 halley Exp $ */
 
 #include <config.h>
 
@@ -2732,12 +2732,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * below, and it needs to use the name buffer.
 			 */
 			query_keepname(client, fname, dbuf);
-			/*
-			 * We don't want the cleanup code to try to release
-			 * fname if we fail below, so we set it to NULL.
-			 */
-			tname = fname;
-			fname = NULL;
 		} else {
 			/*
 			 * We're not going to use fname, and need to release
@@ -2760,12 +2754,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		if (dns_rdataset_isassociated(rdataset)) {
 			if (WANTDNSSEC(client))
-				query_addrrset(client, &tname, &rdataset,
+				query_addrrset(client, &fname, &rdataset,
 					       &sigrdataset,
 					       NULL, DNS_SECTION_AUTHORITY);
-			if (tname != NULL)
-				dns_message_puttempname(client->message,
-							&tname);
 		}
 		goto cleanup;
 	case DNS_R_NXDOMAIN:
@@ -2784,12 +2775,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * below, and it needs to use the name buffer.
 			 */
 			query_keepname(client, fname, dbuf);
-			/*
-			 * We don't want the cleanup code to try to release
-			 * fname if we fail below, so we set it to NULL.
-			 */
-			tname = fname;
-			fname = NULL;
 		} else {
 			/*
 			 * We're not going to use fname, and need to release
@@ -2818,12 +2803,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 */
 		if (dns_rdataset_isassociated(rdataset)) {
 			if (WANTDNSSEC(client))
-				query_addrrset(client, &tname, &rdataset,
+				query_addrrset(client, &fname, &rdataset,
 					       &sigrdataset,
 					       NULL, DNS_SECTION_AUTHORITY);
-			if (tname != NULL)
-				dns_message_puttempname(client->message,
-							&tname);
 		}
 		/*
 		 * Set message rcode.
@@ -3046,10 +3028,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * more than once.  That means we have to call query_keepname()
 		 * now, and pass a NULL dbuf to query_addrrset().
 		 *
-		 * Since we've done the keepname, it's important that we
-		 * set fname to NULL before we leave this 'if' block
-		 * otherwise we might try to cleanup fname even though we've
-		 * kept it!
+		 * If we do a query_addrrset() below, we must set fname to
+		 * NULL before leaving this block, otherwise we might try to
+		 * cleanup fname even though we're using it!
 		 */
 		query_keepname(client, fname, dbuf);
 		result = dns_rdatasetiter_first(rdsiter);
@@ -3077,15 +3058,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			}
 			result = dns_rdatasetiter_next(rdsiter);
 		}
-		/*
-		 * As mentioned above, we must now clear fname since we have
-		 * kept it.
-		 */
-		fname = NULL;
-		if (n == 0) {
+		if (n > 0) {
+			/*
+			 * As mentioned above, we must now clear fname
+			 * since we're using it.
+			 */
+			fname = NULL;
+		} else {
 			/*
 			 * We didn't match any rdatasets.
 			 */
+			dns_message_puttempname(client->message, &fname);
 			if (qtype == dns_rdatatype_sig &&
 			    result == ISC_R_NOMORE) {
 				/*