diff --git a/CHANGES b/CHANGES
index 695c66023a..2e9d4ef883 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,23 @@
 			release the memory held by the dead view
 			early. [GL #3801]
 
+	--- 9.16.37 released ---
+
+6067.	[security]	Fix serve-stale crash when recursive clients soft quota
+			is reached. (CVE-2022-3924) [GL #3619]
+
+6066.	[security]	Handle RRSIG lookups when serve-stale is active.
+			(CVE-2022-3736) [GL #3622]
+
+6064.	[security]	An UPDATE message flood could cause named to exhaust all
+			available memory. This flaw was addressed by adding a
+			new "update-quota" statement that controls the number of
+			simultaneous UPDATE messages that can be processed or
+			forwarded. The default is 100. A stats counter has been
+			added to record events when the update quota is
+			exceeded, and the XML and JSON statistics version
+			numbers have been updated. (CVE-2022-3094) [GL #3523]
+
 6062.	[func]		The DSCP implementation, which has only been
 			partly operational since 9.16.0, is now marked as
 			deprecated. Configuring DSCP values in named.conf
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
index c145915a19..309e5d4bb7 100644
--- a/bin/named/bind9.xsl
+++ b/bin/named/bind9.xsl
@@ -2,7 +2,9 @@
 
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
   <xsl:output method="html" indent="yes" version="4.0"/>
-  <xsl:template match="statistics[@version=&quot;3.11&quot;]">
+  <!-- the version number **below** must match version in bin/named/statschannel.c -->
+  <!-- don't forget to update "/xml/v<STATS_XML_VERSION_MAJOR>" in the HTTP endpoints listed below -->
+  <xsl:template match="statistics[@version=&quot;3.11.1&quot;]">
     <html>
       <head>
         <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
index 3d3e200eda..fabb5fa879 100644
--- a/bin/named/bind9.xsl.h
+++ b/bin/named/bind9.xsl.h
@@ -8,7 +8,11 @@ static char xslmsg[] =
 	"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
 	"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
 	" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
-	" <xsl:template match=\"statistics[@version=&quot;3.11&quot;]\">\n"
+	" <!-- the version number **below** must match version in "
+	"bin/named/statschannel.c -->\n"
+	" <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
+	"the HTTP endpoints listed below -->\n"
+	" <xsl:template match=\"statistics[@version=&quot;3.11.1&quot;]\">\n"
 	" <html>\n"
 	" <head>\n"
 	" <script type=\"text/javascript\" "
diff --git a/bin/named/config.c b/bin/named/config.c
index 5fedee84d9..494147015f 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -130,6 +130,7 @@ options {\n\
 	transfers-out 10;\n\
 	transfers-per-ns 2;\n\
 	trust-anchor-telemetry yes;\n\
+	update-quota 100;\n\
 \n\
 	/* view */\n\
 	allow-new-zones no;\n\
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index 27eed5ca3e..4c9f9a7370 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -179,7 +179,7 @@ OPTIONS
   	answer-cookie boolean;
   	attach-cache string;
   	auth-nxdomain boolean; // default changed
-  	auto-dnssec ( allow | maintain | off );
+  	auto-dnssec ( allow | maintain | off );// deprecated
   	automatic-interface-scan boolean;
   	avoid-v4-udp-ports { portrange; ... };
   	avoid-v6-udp-ports { portrange; ... };
@@ -446,6 +446,7 @@ OPTIONS
   	trust-anchor-telemetry boolean; // experimental
   	try-tcp-refresh boolean;
   	update-check-ksk boolean;
+  	update-quota integer;
   	use-alt-transfer-source boolean;
   	use-v4-udp-ports { portrange; ... };
   	use-v6-udp-ports { portrange; ... };
@@ -584,7 +585,7 @@ VIEW
   	    * ) ] [ dscp integer ];
   	attach-cache string;
   	auth-nxdomain boolean; // default changed
-  	auto-dnssec ( allow | maintain | off );
+  	auto-dnssec ( allow | maintain | off );// deprecated
   	cache-file quoted_string;// deprecated
   	catalog-zones { zone string [ default-masters [ port integer ]
   	    [ dscp integer ] { ( remote-servers | ipv4_address [ port
@@ -859,7 +860,7 @@ VIEW
   		    integer | * ) ] [ dscp integer ];
   		alt-transfer-source-v6 ( ipv6_address | * ) [ port (
   		    integer | * ) ] [ dscp integer ];
-  		auto-dnssec ( allow | maintain | off );
+  		auto-dnssec ( allow | maintain | off );// deprecated
   		check-dup-records ( fail | warn | ignore );
   		check-integrity boolean;
   		check-mx ( fail | warn | ignore );
@@ -977,7 +978,7 @@ ZONE
   	    ] [ dscp integer ];
   	alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
   	    * ) ] [ dscp integer ];
-  	auto-dnssec ( allow | maintain | off );
+  	auto-dnssec ( allow | maintain | off );// deprecated
   	check-dup-records ( fail | warn | ignore );
   	check-integrity boolean;
   	check-mx ( fail | warn | ignore );
diff --git a/bin/named/server.c b/bin/named/server.c
index 4cd33ba08b..ed0ee59552 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8543,6 +8543,7 @@ load_configuration(const char *filename, named_server_t *server,
 	configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota);
 	configure_server_quota(maps, "recursive-clients",
 			       &server->sctx->recursionquota);
+	configure_server_quota(maps, "update-quota", &server->sctx->updquota);
 
 	max = isc_quota_getmax(&server->sctx->recursionquota);
 	if (max > 1000) {
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index e6a3f5aba6..ff3deab06c 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -344,6 +344,7 @@ init_desc(void) {
 	SET_NSSTATDESC(reclimitdropped,
 		       "queries dropped due to recursive client limit",
 		       "RecLimitDropped");
+	SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
 
 	INSIST(i == ns_statscounter_max);
 
@@ -2018,7 +2019,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
 					      "href=\"/bind9.xsl\""));
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "3.11"));
+					 ISC_XMLCHAR "3.11.1"));
 
 	/* Set common fields for statistics dump */
 	dumparg.type = isc_statsformat_xml;
@@ -2878,7 +2879,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
 	/*
 	 * These statistics are included no matter which URL we use.
 	 */
-	obj = json_object_new_string("1.5");
+	obj = json_object_new_string("1.5.1");
 	CHECKMEM(obj);
 	json_object_object_add(bindstats, "json-stats-version", obj);
 
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index b1f7059acf..0ecdb68e95 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -75,6 +75,7 @@ options {
 	recursive-clients 3000;
 	serial-query-rate 100;
 	server-id none;
+	update-quota 200;
 	check-names primary warn;
 	check-names secondary ignore;
 	max-cache-size 20000000000000;
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 81d0c99af8..a5cc36dec5 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -23,6 +23,7 @@ options {
 	recursion no;
 	notify yes;
 	minimal-responses no;
+	update-quota 1;
 };
 
 acl named-acl {
@@ -83,6 +84,7 @@ zone "other.nil" {
 	check-integrity no;
 	check-mx warn;
 	update-policy local;
+	allow-query { !10.53.0.2; any; };
 	allow-query-on { 10.53.0.1; 127.0.0.1; };
 	allow-transfer { any; };
 };
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index ee634d7257..67ffc27c1b 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1288,6 +1288,34 @@ END
 grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if query is not allowed ($n)"
+{
+  $NSUPDATE -d <<END
+  local 10.53.0.2
+  server 10.53.0.1 ${PORT}
+  update add reject.other.nil 3600 IN TXT Whatever
+  send
+END
+} > nsupdate.out.test$n 2>&1
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that update is rejected if quota is exceeded ($n)"
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
+  update add txt-$loop.other.nil 3600 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 if ! $FEATURETEST --gssapi ; then
   echo_i "SKIPPED: GSSAPI tests"
 else
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 9370bc8d70..14a7d295f8 100644
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -31,3 +31,5 @@ rm -f keyname keyname.err
 rm -f ns*/named.lock
 rm -f ns1/example2.db
 rm -f ns*/managed-keys.bind*
+rm -f nsupdate.out.*
+rm -f ns*/named.run.prev
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
similarity index 79%
rename from bin/tests/system/upforwd/ns3/named.conf.in
rename to bin/tests/system/upforwd/ns3/named1.conf.in
index 7ff44655fe..61d42c8954 100644
--- a/bin/tests/system/upforwd/ns3/named.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -30,20 +30,27 @@ key rndc_key {
 };
 
 controls {
-        inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
 zone "example" {
 	type secondary;
 	file "example.bk";
-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
 	primaries { 10.53.0.1; };
 };
 
 zone "example2" {
 	type secondary;
 	file "example2.bk";
-	allow-update-forwarding { any; };
+	allow-update-forwarding { 10.53.0.1; };
+	primaries { 10.53.0.1; };
+};
+
+zone "example3" {
+	type secondary;
+	file "example3.bk";
+	allow-update-forwarding { 10.53.0.1; };
 	primaries { 10.53.0.1; };
 };
 
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
new file mode 100644
index 0000000000..86d7469601
--- /dev/null
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	update-quota 1;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "example" {
+	type secondary;
+	file "example.bk";
+	allow-update-forwarding { any; };
+	primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index a7af70efd7..c7c9afc603 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -19,7 +19,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
 
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns3/named1.conf.in ns3/named.conf
 
 if $FEATURETEST --enable-dnstap
 then
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index c0293b3132..35c55880b3 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -82,6 +82,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
 echo_i "updating zone (signed) ($n)"
 ret=0
 $NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add updated.example. 600 A 10.10.10.1
 update add updated.example. 600 TXT Foo
@@ -140,6 +141,7 @@ fi
 echo_i "updating zone (unsigned) ($n)"
 ret=0
 $NSUPDATE -- - <<EOF || ret=1
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 update add unsigned.example. 600 A 10.10.10.1
 update add unsigned.example. 600 TXT Foo
@@ -196,6 +198,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
 do
 (
 $NSUPDATE -- - <<EOF 
+local 10.53.0.1
 server 10.53.0.3 ${PORT}
 zone nomaster
 update add unsigned.nomaster. 600 A 10.10.10.1
@@ -227,6 +230,7 @@ then
 	ret=0
 	keyname=`cat keyname`
 	$NSUPDATE -k $keyname.private -- - <<EOF
+	local 10.53.0.1
 	server 10.53.0.3 ${PORT}
 	zone example2
 	update add unsigned.example2. 600 A 10.10.10.1
@@ -251,5 +255,40 @@ EOF
 	fi
 fi
 
+echo_i "attempting an update that should be rejected by ACL ($n)"
+ret=0
+{
+        $NSUPDATE -- - << EOF
+        local 10.53.0.2
+        server 10.53.0.3 ${PORT}
+        update add another.unsigned.example. 600 A 10.10.10.2
+        update add another.unsigned.example. 600 TXT Bar
+        send
+EOF
+} > nsupdate.out.$n 2>&1
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
+n=`expr $n + 1`
+
+n=$((n + 1))
+ret=0
+echo_i "attempting updates that should exceed quota ($n)"
+# lower the update quota to 1.
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+nextpart ns3/named.run > /dev/null
+for loop in 1 2 3 4 5 6 7 8 9 10; do
+{
+  $NSUPDATE -- - > /dev/null 2>&1 <<END
+  local 10.53.0.1
+  server 10.53.0.3 ${PORT}
+  update add txt-$loop.unsigned.example 300 IN TXT Whatever
+  send
+END
+} &
+done
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/doc/arm/notes.rst b/doc/arm/notes.rst
index 5830608da3..0a138f5974 100644
--- a/doc/arm/notes.rst
+++ b/doc/arm/notes.rst
@@ -47,6 +47,7 @@ for Microsoft Windows operating systems.
 .. include:: ../notes/notes-known-issues.rst
 
 .. include:: ../notes/notes-current.rst
+.. include:: ../notes/notes-9.16.37.rst
 .. include:: ../notes/notes-9.16.36.rst
 .. include:: ../notes/notes-9.16.35.rst
 .. include:: ../notes/notes-9.16.34.rst
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 727e908482..703663d0ba 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -3151,6 +3151,11 @@ system.
    value as ``tcp-keepalive-timeout``. This value can be updated at
    runtime by using ``rndc tcp-timeouts``.
 
+``update-quota``
+   This is the maximum number of simultaneous DNS UPDATE messages that
+   the server will accept for updating local authoritiative zones or
+   forwarding to a primary server. The default is ``100``.
+
 .. _intervals:
 
 Periodic Task Intervals
@@ -6837,6 +6842,11 @@ Name Server Statistics Counters
 ``UpdateBadPrereq``
     This indicates the number of dynamic updates rejected due to a prerequisite failure.
 
+``UpdateQuota``
+    This indicates the number of times a dynamic update or update
+    forwarding request was rejected because the number of pending
+    requests exceeded ``update-quota``.
+
 ``RateDropped``
     This indicates the number of responses dropped due to rate limits.
 
diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst
index 4acc0e08a7..e8f6cf9c65 100644
--- a/doc/dnssec-guide/introduction.rst
+++ b/doc/dnssec-guide/introduction.rst
@@ -250,7 +250,7 @@ at a very high level, looking up the name ``www.isc.org`` :
 
     Let's take a quick break here and look at what we've got so far...
     how can our server trust this answer? If a clever attacker had taken over
-    the ``isc.org`` name server(s), or course she would send matching
+    the ``isc.org`` name server(s), of course she would send matching
     keys and signatures. We need to ask someone else to have confidence
     that we are really talking to the real ``isc.org`` name server. This
     is a critical part of DNSSEC: at some point, the DNS administrators
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 4c46f47592..c87afa2881 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -231,7 +231,7 @@ options {
       answer\-cookie boolean;
       attach\-cache string;
       auth\-nxdomain boolean; // default changed
-      auto\-dnssec ( allow | maintain | off );
+      auto\-dnssec ( allow | maintain | off );// deprecated
       automatic\-interface\-scan boolean;
       avoid\-v4\-udp\-ports { portrange; ... };
       avoid\-v6\-udp\-ports { portrange; ... };
@@ -498,6 +498,7 @@ options {
       trust\-anchor\-telemetry boolean; // experimental
       try\-tcp\-refresh boolean;
       update\-check\-ksk boolean;
+      update\-quota integer;
       use\-alt\-transfer\-source boolean;
       use\-v4\-udp\-ports { portrange; ... };
       use\-v6\-udp\-ports { portrange; ... };
@@ -668,7 +669,7 @@ view string [ class ] {
           * ) ] [ dscp integer ];
       attach\-cache string;
       auth\-nxdomain boolean; // default changed
-      auto\-dnssec ( allow | maintain | off );
+      auto\-dnssec ( allow | maintain | off );// deprecated
       cache\-file quoted_string;// deprecated
       catalog\-zones { zone string [ default\-masters [ port integer ]
           [ dscp integer ] { ( remote\-servers | ipv4_address [ port
@@ -943,7 +944,7 @@ view string [ class ] {
                   integer | * ) ] [ dscp integer ];
               alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
                   integer | * ) ] [ dscp integer ];
-              auto\-dnssec ( allow | maintain | off );
+              auto\-dnssec ( allow | maintain | off );// deprecated
               check\-dup\-records ( fail | warn | ignore );
               check\-integrity boolean;
               check\-mx ( fail | warn | ignore );
@@ -1065,7 +1066,7 @@ zone string [ class ] {
           ] [ dscp integer ];
       alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
           * ) ] [ dscp integer ];
-      auto\-dnssec ( allow | maintain | off );
+      auto\-dnssec ( allow | maintain | off );// deprecated
       check\-dup\-records ( fail | warn | ignore );
       check\-integrity boolean;
       check\-mx ( fail | warn | ignore );
diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst
index 8fc7e1b4f0..346d59813e 100644
--- a/doc/misc/master.zoneopt.rst
+++ b/doc/misc/master.zoneopt.rst
@@ -20,7 +20,7 @@
   	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
   	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-  	auto-dnssec ( allow | maintain | off );
+  	auto-dnssec ( allow | maintain | off ); // deprecated
   	check-dup-records ( fail | warn | ignore );
   	check-integrity <boolean>;
   	check-mx ( fail | warn | ignore );
diff --git a/doc/misc/options b/doc/misc/options
index f57399499a..0dbcf101e1 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -404,6 +404,7 @@ options {
         trust-anchor-telemetry <boolean>; // experimental
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
+        update-quota <integer>;
         use-alt-transfer-source <boolean>;
         use-id-pool <boolean>; // ancient
         use-ixfr <boolean>; // obsolete
diff --git a/doc/misc/options.active b/doc/misc/options.active
index 5fc1ab29f4..eb75a86eae 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -363,6 +363,7 @@ options {
         trust-anchor-telemetry <boolean>; // experimental
         try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
+        update-quota <integer>;
         use-alt-transfer-source <boolean>;
         use-v4-udp-ports { <portrange>; ... };
         use-v6-udp-ports { <portrange>; ... };
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
index 438072c95c..beef35341a 100644
--- a/doc/misc/options.grammar.rst
+++ b/doc/misc/options.grammar.rst
@@ -33,7 +33,7 @@
   	answer-cookie <boolean>;
   	attach-cache <string>;
   	auth-nxdomain <boolean>; // default changed
-  	auto-dnssec ( allow | maintain | off );
+  	auto-dnssec ( allow | maintain | off ); // deprecated
   	automatic-interface-scan <boolean>;
   	avoid-v4-udp-ports { <portrange>; ... };
   	avoid-v6-udp-ports { <portrange>; ... };
@@ -300,6 +300,7 @@
   	trust-anchor-telemetry <boolean>; // experimental
   	try-tcp-refresh <boolean>;
   	update-check-ksk <boolean>;
+  	update-quota <integer>;
   	use-alt-transfer-source <boolean>;
   	use-v4-udp-ports { <portrange>; ... };
   	use-v6-udp-ports { <portrange>; ... };
diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst
index cc72dcbf67..468a7f4d9a 100644
--- a/doc/misc/slave.zoneopt.rst
+++ b/doc/misc/slave.zoneopt.rst
@@ -21,7 +21,7 @@
   	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
   	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
-  	auto-dnssec ( allow | maintain | off );
+  	auto-dnssec ( allow | maintain | off ); // deprecated
   	check-names ( fail | warn | ignore );
   	database <string>;
   	dialup ( notify | notify-passive | passive | refresh | <boolean> );
diff --git a/doc/notes/notes-9.16.37.rst b/doc/notes/notes-9.16.37.rst
new file mode 100644
index 0000000000..9b0393ca04
--- /dev/null
+++ b/doc/notes/notes-9.16.37.rst
@@ -0,0 +1,80 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.16.37
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- An UPDATE message flood could cause :iscman:`named` to exhaust all
+  available memory. This flaw was addressed by adding a new
+  ``update-quota`` option that controls the maximum number of
+  outstanding DNS UPDATE messages that :iscman:`named` can hold in a
+  queue at any given time (default: 100). (CVE-2022-3094)
+
+  ISC would like to thank Rob Schulhof from Infoblox for bringing this
+  vulnerability to our attention. :gl:`#3523`
+
+- :iscman:`named` could crash with an assertion failure when an RRSIG
+  query was received and ``stale-answer-client-timeout`` was set to a
+  non-zero value. This has been fixed. (CVE-2022-3736)
+
+  ISC would like to thank Borja Marcos from Sarenet (with assistance by
+  Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
+  our attention. :gl:`#3622`
+
+- :iscman:`named` running as a resolver with the
+  ``stale-answer-client-timeout`` option set to any value greater than
+  ``0`` could crash with an assertion failure, when the
+  ``recursive-clients`` soft quota was reached. This has been fixed.
+  (CVE-2022-3924)
+
+  ISC would like to thank Maksym Odinintsev from AWS for bringing this
+  vulnerability to our attention. :gl:`#3619`
+
+New Features
+~~~~~~~~~~~~
+
+- The new ``update-quota`` option can be used to control the number of
+  simultaneous DNS UPDATE messages that can be processed to update an
+  authoritative zone on a primary server, or forwarded to the primary
+  server by a secondary server. The default is 100. A new statistics
+  counter has also been added to record events when this quota is
+  exceeded, and the version numbers for the XML and JSON statistics
+  schemas have been updated. :gl:`#3523`
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- The Differentiated Services Code Point (DSCP) feature in BIND has been
+  deprecated. Configuring DSCP values in ``named.conf`` now causes a
+  warning to be logged. Note that this feature has only been partly
+  operational since the new Network Manager was introduced in BIND
+  9.16.0. :gl:`#3773`
+
+- The catalog zone implementation has been optimized to work with
+  hundreds of thousands of member zones. :gl:`#3744`
+
+Bug Fixes
+~~~~~~~~~
+
+- In certain query resolution scenarios (e.g. when following CNAME
+  records), :iscman:`named` configured to answer from stale cache could
+  return a SERVFAIL response despite a usable, non-stale answer being
+  present in the cache. This has been fixed. :gl:`#3678`
+
+Known Issues
+~~~~~~~~~~~~
+
+- There are no new known issues with this release. See :ref:`above
+  <relnotes_known_issues>` for a list of all known issues affecting this
+  BIND 9 branch.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 6fef810ce6..a97aaa85e9 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -11275,8 +11275,9 @@ void
 dns_resolver_cancelfetch(dns_fetch_t *fetch) {
 	fetchctx_t *fctx;
 	dns_resolver_t *res;
-	dns_fetchevent_t *event, *next_event;
-	isc_task_t *etask;
+	dns_fetchevent_t *event = NULL;
+	dns_fetchevent_t *event_trystale = NULL;
+	dns_fetchevent_t *event_fetchdone = NULL;
 
 	REQUIRE(DNS_FETCH_VALID(fetch));
 	fctx = fetch->private;
@@ -11288,33 +11289,60 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) {
 	LOCK(&res->buckets[fctx->bucketnum].lock);
 
 	/*
-	 * Find the completion event for this fetch (as opposed
+	 * Find the events for this fetch (as opposed
 	 * to those for other fetches that have joined the same
-	 * fctx) and send it with result = ISC_R_CANCELED.
+	 * fctx) and send them with result = ISC_R_CANCELED.
 	 */
-	event = NULL;
 	if (fctx->state != fetchstate_done) {
+		dns_fetchevent_t *next_event = NULL;
 		for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
 		     event = next_event)
 		{
 			next_event = ISC_LIST_NEXT(event, ev_link);
 			if (event->fetch == fetch) {
 				ISC_LIST_UNLINK(fctx->events, event, ev_link);
-				break;
+				switch (event->ev_type) {
+				case DNS_EVENT_TRYSTALE:
+					INSIST(event_trystale == NULL);
+					event_trystale = event;
+					break;
+				case DNS_EVENT_FETCHDONE:
+					INSIST(event_fetchdone == NULL);
+					event_fetchdone = event;
+					break;
+				default:
+					UNREACHABLE();
+				}
+				if (event_trystale != NULL &&
+				    event_fetchdone != NULL)
+				{
+					break;
+				}
 			}
 		}
 	}
-	if (event != NULL) {
-		etask = event->ev_sender;
-		event->ev_sender = fctx;
-		event->result = ISC_R_CANCELED;
-		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
+	/*
+	 * The "trystale" event must be sent before the "fetchdone" event,
+	 * because the latter clears the "recursing" query attribute, which is
+	 * required by both events (handled by the same callback function).
+	 */
+	if (event_trystale != NULL) {
+		isc_task_t *etask = event_trystale->ev_sender;
+		event_trystale->ev_sender = fctx;
+		event_trystale->result = ISC_R_CANCELED;
+		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_trystale));
 	}
+	if (event_fetchdone != NULL) {
+		isc_task_t *etask = event_fetchdone->ev_sender;
+		event_fetchdone->ev_sender = fctx;
+		event_fetchdone->result = ISC_R_CANCELED;
+		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_fetchdone));
+	}
+
 	/*
 	 * The fctx continues running even if no fetches remain;
 	 * the answer is still cached.
 	 */
-
 	UNLOCK(&res->buckets[fctx->bucketnum].lock);
 }
 
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 45de0196bf..6e63d86816 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "transfers-out", &cfg_type_uint32, 0 },
 	{ "transfers-per-ns", &cfg_type_uint32, 0 },
 	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
+	{ "update-quota", &cfg_type_uint32, 0 },
 	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
 	{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
index 8edfcd3c8b..6ace9f3e30 100644
--- a/lib/ns/include/ns/server.h
+++ b/lib/ns/include/ns/server.h
@@ -86,6 +86,7 @@ struct ns_server {
 	isc_quota_t recursionquota;
 	isc_quota_t tcpquota;
 	isc_quota_t xfroutquota;
+	isc_quota_t updquota;
 
 	/*% Test options and other configurables */
 	uint32_t options;
diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h
index ee480959a5..b9564aaf44 100644
--- a/lib/ns/include/ns/stats.h
+++ b/lib/ns/include/ns/stats.h
@@ -108,7 +108,9 @@ enum {
 
 	ns_statscounter_reclimitdropped = 66,
 
-	ns_statscounter_max = 67,
+	ns_statscounter_updatequota = 67,
+
+	ns_statscounter_max = 68,
 };
 
 void
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 9ca353e795..d8c3a18218 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5177,6 +5177,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
 	qctx->result = ISC_R_SUCCESS;
 	qctx->findcoveringnsec = qctx->view->synthfromdnssec;
 
+	/*
+	 * If it's an RRSIG or SIG query, we'll iterate the node.
+	 */
+	if (qctx->qtype == dns_rdatatype_rrsig ||
+	    qctx->qtype == dns_rdatatype_sig)
+	{
+		qctx->type = dns_rdatatype_any;
+	}
+
 	CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
 }
 
@@ -5318,15 +5327,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
 
 	CALL_HOOK(NS_QUERY_SETUP, &qctx);
 
-	/*
-	 * If it's a SIG query, we'll iterate the node.
-	 */
-	if (qctx.qtype == dns_rdatatype_rrsig ||
-	    qctx.qtype == dns_rdatatype_sig)
-	{
-		qctx.type = dns_rdatatype_any;
-	}
-
 	/*
 	 * Check SERVFAIL cache
 	 */
@@ -6110,7 +6110,9 @@ fetch_callback(isc_task_t *task, isc_event_t *event) {
 	CTRACE(ISC_LOG_DEBUG(3), "fetch_callback");
 
 	if (event->ev_type == DNS_EVENT_TRYSTALE) {
-		query_lookup_stale(client);
+		if (devent->result != ISC_R_CANCELED) {
+			query_lookup_stale(client);
+		}
 		isc_event_free(ISC_EVENT_PTR(&event));
 		return;
 	}
diff --git a/lib/ns/server.c b/lib/ns/server.c
index f5dad49f88..63bea5dca4 100644
--- a/lib/ns/server.c
+++ b/lib/ns/server.c
@@ -54,6 +54,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
 	isc_quota_init(&sctx->xfroutquota, 10);
 	isc_quota_init(&sctx->tcpquota, 10);
 	isc_quota_init(&sctx->recursionquota, 100);
+	isc_quota_init(&sctx->updquota, 100);
 
 	CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
 
@@ -133,6 +134,7 @@ ns_server_detach(ns_server_t **sctxp) {
 			isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
 		}
 
+		isc_quota_destroy(&sctx->updquota);
 		isc_quota_destroy(&sctx->recursionquota);
 		isc_quota_destroy(&sctx->tcpquota);
 		isc_quota_destroy(&sctx->xfroutquota);
diff --git a/lib/ns/update.c b/lib/ns/update.c
index bbfb1974bc..4e51cdcb77 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -263,6 +263,9 @@ static void
 forward_done(isc_task_t *task, isc_event_t *event);
 static isc_result_t
 add_rr_prepare_action(void *data, rr_t *rr);
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, bool *flag);
 
 /**************************************************************************/
 
@@ -335,25 +338,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
 static isc_result_t
 checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
 	      dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
+	isc_result_t result;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-	int level;
-	isc_result_t result;
+	bool update_possible =
+		((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
+		 ssutable != NULL);
 
 	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
 	if (result != ISC_R_SUCCESS) {
+		int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
+
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
 
-		level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO
-								: ISC_LOG_ERROR;
-
 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
 			      NS_LOGMODULE_UPDATE, level,
 			      "update '%s/%s' denied due to allow-query",
 			      namebuf, classbuf);
-	} else if (updateacl == NULL && ssutable == NULL) {
+	} else if (!update_possible) {
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
@@ -1549,6 +1553,167 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
 	isc_result_t result = ISC_R_SUCCESS;
 	update_event_t *event = NULL;
 	isc_task_t *zonetask = NULL;
+	dns_ssutable_t *ssutable = NULL;
+	dns_message_t *request = client->message;
+	dns_aclenv_t *env =
+		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
+	dns_rdataclass_t zoneclass;
+	dns_rdatatype_t covers;
+	dns_name_t *zonename = NULL;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+
+	CHECK(dns_zone_getdb(zone, &db));
+	zonename = dns_db_origin(db);
+	zoneclass = dns_db_class(db);
+	dns_zone_getssutable(zone, &ssutable);
+	dns_db_currentversion(db, &ver);
+
+	/*
+	 * Update message processing can leak record existence information
+	 * so check that we are allowed to query this zone.  Additionally,
+	 * if we would refuse all updates for this zone, we bail out here.
+	 */
+	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
+			    dns_zone_getorigin(zone),
+			    dns_zone_getupdateacl(zone), ssutable));
+
+	/*
+	 * Check requestor's permissions.
+	 */
+	if (ssutable == NULL) {
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
+				     "update", dns_zone_getorigin(zone), false,
+				     false));
+	} else if (client->signer == NULL && !TCPCLIENT(client)) {
+		CHECK(checkupdateacl(client, NULL, "update",
+				     dns_zone_getorigin(zone), false, true));
+	}
+
+	if (dns_zone_getupdatedisabled(zone)) {
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
+				     "because the zone is frozen.  Use "
+				     "'rndc thaw' to re-enable updates.");
+	}
+
+	/*
+	 * Prescan the update section, checking for updates that
+	 * are illegal or violate policy.
+	 */
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
+			       &rdata, &covers, &ttl, &update_class);
+
+		if (!dns_name_issubdomain(name, zonename)) {
+			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
+		}
+		if (update_class == zoneclass) {
+			/*
+			 * Check for meta-RRs.  The RFC2136 pseudocode says
+			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
+			 * "or any other QUERY metatype"
+			 */
+			if (dns_rdatatype_ismeta(rdata.type)) {
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
+			}
+			result = dns_zone_checknames(zone, name, &rdata);
+			if (result != ISC_R_SUCCESS) {
+				FAIL(DNS_R_REFUSED);
+			}
+		} else if (update_class == dns_rdataclass_any) {
+			if (ttl != 0 || rdata.length != 0 ||
+			    (dns_rdatatype_ismeta(rdata.type) &&
+			     rdata.type != dns_rdatatype_any))
+			{
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
+			}
+		} else if (update_class == dns_rdataclass_none) {
+			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
+				FAILC(DNS_R_FORMERR, "meta-RR in update");
+			}
+		} else {
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "update RR has incorrect class %d",
+				   update_class);
+			FAIL(DNS_R_FORMERR);
+		}
+
+		/*
+		 * draft-ietf-dnsind-simple-secure-update-01 says
+		 * "Unlike traditional dynamic update, the client
+		 * is forbidden from updating NSEC records."
+		 */
+		if (rdata.type == dns_rdatatype_nsec3) {
+			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
+					     "allowed "
+					     "in secure zones");
+		} else if (rdata.type == dns_rdatatype_nsec) {
+			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
+					     "allowed "
+					     "in secure zones");
+		} else if (rdata.type == dns_rdatatype_rrsig &&
+			   !dns_name_equal(name, zonename))
+		{
+			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
+					     "currently "
+					     "not supported in secure zones "
+					     "except "
+					     "at the apex");
+		}
+
+		if (ssutable != NULL) {
+			isc_netaddr_t netaddr;
+			dst_key_t *tsigkey = NULL;
+			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+			if (client->message->tsigkey != NULL) {
+				tsigkey = client->message->tsigkey->key;
+			}
+
+			if (rdata.type != dns_rdatatype_any) {
+				if (!dns_ssutable_checkrules(
+					    ssutable, client->signer, name,
+					    &netaddr, TCPCLIENT(client), env,
+					    rdata.type, tsigkey))
+				{
+					FAILC(DNS_R_REFUSED, "rejected by "
+							     "secure update");
+				}
+			} else {
+				if (!ssu_checkall(db, ver, name, ssutable,
+						  client->signer, &netaddr, env,
+						  TCPCLIENT(client), tsigkey))
+				{
+					FAILC(DNS_R_REFUSED, "rejected by "
+							     "secure update");
+				}
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		FAIL(result);
+	}
+
+	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
+
+	result = isc_quota_attach(&client->manager->sctx->updquota,
+				  &(isc_quota_t *){ NULL });
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
+			   "update failed: too many DNS UPDATEs queued (%s)",
+			   isc_result_totext(result));
+		ns_stats_increment(client->manager->sctx->nsstats,
+				   ns_statscounter_updatequota);
+		CHECK(DNS_R_DROP);
+	}
 
 	event = (update_event_t *)isc_event_allocate(
 		client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
@@ -1564,6 +1729,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
 	dns_zone_gettask(zone, &zonetask);
 	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
 
+failure:
+	if (db != NULL) {
+		dns_db_closeversion(db, &ver, false);
+		dns_db_detach(&db);
+	}
+
+	if (ssutable != NULL) {
+		dns_ssutable_detach(&ssutable);
+	}
+
 	return (result);
 }
 
@@ -1671,9 +1846,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
 		break;
 	case dns_zone_secondary:
 	case dns_zone_mirror:
-		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
-				     "update forwarding", zonename, true,
-				     false));
 		dns_message_clonebuffer(client->message);
 		CHECK(send_forward_event(client, zone));
 		break;
@@ -1684,16 +1856,21 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
 
 failure:
 	if (result == DNS_R_REFUSED) {
-		INSIST(dns_zone_gettype(zone) == dns_zone_secondary ||
-		       dns_zone_gettype(zone) == dns_zone_mirror);
 		inc_stats(client, zone, ns_statscounter_updaterej);
 	}
+
 	/*
 	 * We failed without having sent an update event to the zone.
 	 * We are still in the client task context, so we can
 	 * simply give an error response without switching tasks.
 	 */
-	respond(client, result);
+	if (result == DNS_R_DROP) {
+		ns_client_drop(client, result);
+		isc_nmhandle_detach(&client->reqhandle);
+	} else {
+		respond(client, result);
+	}
+
 	if (zone != NULL) {
 		dns_zone_detach(&zone);
 	}
@@ -2579,7 +2756,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_rdatatype_t covers;
 	dns_message_t *request = client->message;
 	dns_rdataclass_t zoneclass;
-	dns_name_t *zonename;
+	dns_name_t *zonename = NULL;
 	dns_ssutable_t *ssutable = NULL;
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
@@ -2591,8 +2768,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_ttl_t maxttl = 0;
 	uint32_t maxrecords;
 	uint64_t records;
-	dns_aclenv_t *env =
-		ns_interfacemgr_getaclenv(client->manager->interface->mgr);
 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
@@ -2603,14 +2778,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	zonename = dns_db_origin(db);
 	zoneclass = dns_db_class(db);
 	dns_zone_getssutable(zone, &ssutable);
-
-	/*
-	 * Update message processing can leak record existence information
-	 * so check that we are allowed to query this zone.  Additionally
-	 * if we would refuse all updates for this zone we bail out here.
-	 */
-	CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
-			    dns_zone_getupdateacl(zone), ssutable));
+	options = dns_zone_getoptions(zone);
 
 	/*
 	 * Get old and new versions now that queryacl has been checked.
@@ -2746,136 +2914,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 	update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
 
-	/*
-	 * Check Requestor's Permissions.  It seems a bit silly to do this
-	 * only after prerequisite testing, but that is what RFC2136 says.
-	 */
-	if (ssutable == NULL) {
-		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
-				     "update", zonename, false, false));
-	} else if (client->signer == NULL && !TCPCLIENT(client)) {
-		CHECK(checkupdateacl(client, NULL, "update", zonename, false,
-				     true));
-	}
-
-	if (dns_zone_getupdatedisabled(zone)) {
-		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
-				     "because the zone is frozen.  Use "
-				     "'rndc thaw' to re-enable updates.");
-	}
-
-	/*
-	 * Perform the Update Section Prescan.
-	 */
-
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
-			       &rdata, &covers, &ttl, &update_class);
-
-		if (!dns_name_issubdomain(name, zonename)) {
-			FAILC(DNS_R_NOTZONE, "update RR is outside zone");
-		}
-		if (update_class == zoneclass) {
-			/*
-			 * Check for meta-RRs.  The RFC2136 pseudocode says
-			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
-			 * "or any other QUERY metatype"
-			 */
-			if (dns_rdatatype_ismeta(rdata.type)) {
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
-			}
-			result = dns_zone_checknames(zone, name, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				FAIL(DNS_R_REFUSED);
-			}
-		} else if (update_class == dns_rdataclass_any) {
-			if (ttl != 0 || rdata.length != 0 ||
-			    (dns_rdatatype_ismeta(rdata.type) &&
-			     rdata.type != dns_rdatatype_any))
-			{
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
-			}
-		} else if (update_class == dns_rdataclass_none) {
-			if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
-				FAILC(DNS_R_FORMERR, "meta-RR in update");
-			}
-		} else {
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "update RR has incorrect class %d",
-				   update_class);
-			FAIL(DNS_R_FORMERR);
-		}
-
-		/*
-		 * draft-ietf-dnsind-simple-secure-update-01 says
-		 * "Unlike traditional dynamic update, the client
-		 * is forbidden from updating NSEC records."
-		 */
-		if (rdata.type == dns_rdatatype_nsec3) {
-			FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
-					     "allowed "
-					     "in secure zones");
-		} else if (rdata.type == dns_rdatatype_nsec) {
-			FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
-					     "allowed "
-					     "in secure zones");
-		} else if (rdata.type == dns_rdatatype_rrsig &&
-			   !dns_name_equal(name, zonename))
-		{
-			FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
-					     "currently "
-					     "not supported in secure zones "
-					     "except "
-					     "at the apex");
-		}
-
-		if (ssutable != NULL) {
-			isc_netaddr_t netaddr;
-			dst_key_t *tsigkey = NULL;
-			isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-			if (client->message->tsigkey != NULL) {
-				tsigkey = client->message->tsigkey->key;
-			}
-
-			if (rdata.type != dns_rdatatype_any) {
-				if (!dns_ssutable_checkrules(
-					    ssutable, client->signer, name,
-					    &netaddr, TCPCLIENT(client), env,
-					    rdata.type, tsigkey))
-				{
-					FAILC(DNS_R_REFUSED, "rejected by "
-							     "secure update");
-				}
-			} else {
-				if (!ssu_checkall(db, ver, name, ssutable,
-						  client->signer, &netaddr, env,
-						  TCPCLIENT(client), tsigkey))
-				{
-					FAILC(DNS_R_REFUSED, "rejected by "
-							     "secure update");
-				}
-			}
-		}
-	}
-	if (result != ISC_R_NOMORE) {
-		FAIL(result);
-	}
-
-	update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
-
 	/*
 	 * Process the Update Section.
 	 */
-
-	options = dns_zone_getoptions(zone);
 	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
 	     result == ISC_R_SUCCESS;
 	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
@@ -3314,10 +3355,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			if (result == ISC_R_SUCCESS && records > maxrecords) {
 				update_log(client, zone, ISC_LOG_ERROR,
 					   "records in zone (%" PRIu64 ") "
-					   "exceeds"
-					   " max-"
-					   "records"
-					   " (%u)",
+					   "exceeds max-records (%u)",
 					   records, maxrecords);
 				result = DNS_R_TOOMANYRECORDS;
 				goto failure;
@@ -3518,6 +3556,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
 
 	respond(client, uev->result);
 
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
 	isc_event_free(&event);
 	isc_nmhandle_detach(&client->updatehandle);
 }
@@ -3534,6 +3573,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
 	INSIST(client->nupdates > 0);
 	client->nupdates--;
 	respond(client, DNS_R_SERVFAIL);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
 	isc_event_free(&event);
 	isc_nmhandle_detach(&client->updatehandle);
 }
@@ -3571,6 +3612,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
 	client->nupdates--;
 	ns_client_sendraw(client, uev->answer);
 	dns_message_detach(&uev->answer);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
 	isc_event_free(&event);
 	isc_nmhandle_detach(&client->reqhandle);
 	isc_nmhandle_detach(&client->updatehandle);
@@ -3606,6 +3649,24 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
 	update_event_t *event = NULL;
 	isc_task_t *zonetask = NULL;
 
+	result = checkupdateacl(client, dns_zone_getforwardacl(zone),
+				"update forwarding", dns_zone_getorigin(zone),
+				true, false);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	result = isc_quota_attach(&client->manager->sctx->updquota,
+				  &(isc_quota_t *){ NULL });
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
+			   "update failed: too many DNS UPDATEs queued (%s)",
+			   isc_result_totext(result));
+		ns_stats_increment(client->manager->sctx->nsstats,
+				   ns_statscounter_updatequota);
+		return (DNS_R_DROP);
+	}
+
 	event = (update_event_t *)isc_event_allocate(
 		client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
 		sizeof(*event));