named crash after reconfiguration when "allow-recursion" changed

With BIND 9.17.20 on Fedora 35 from my Copr fork I get a reproducible named segfault few seconds after I add IP entry to allow-recursion list, save named.conf (attached), and reconfigure named with rndc reconfig (if I restart named service instead of reconfiguration in the last step, no crash happens).

Also happens with Fedora 34 BIND 9.17.20 packages on Fedora 35 from the official Copr repo (we don't provide official Fedora 35 packages yet).

backtrace:

Core was generated by `/opt/isc/isc-bind/root/usr/sbin/named -u named'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:476
476		VMOVU	-VEC_SIZE(%rsi, %rdx), %VEC(5)
[Current thread is 1 (Thread 0x7f0479b7f640 (LWP 1360))]
(gdb) bt
#0  __memmove_evex_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:476
#1  0x00007f047b342de2 in memcpy (__len=<optimized out>, __src=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string_fortified.h:29
#2  OPENSSL_sk_dup (sk=0x7f04740138f0) at crypto/stack/stack.c:66
#3  0x00007f047ad25111 in sk_SSL_CIPHER_dup (sk=<optimized out>) at include/openssl/ssl.h:963
#4  SSL_new (ctx=ctx@entry=0x7f04740161a0) at ssl/ssl_lib.c:717
#5  0x00007f047b7d1a23 in isc_tls_create (ctx=0x7f04740161a0) at /usr/src/debug/isc-bind-bind-9.17.20-1.1.fc35.x86_64/lib/isc/tls.c:607
#6  0x00007f047b7df109 in tlslisten_acceptcb (handle=0x7f04789ee280, result=<optimized out>, cbarg=0x7f0478976800) at netmgr/tlsstream.c:595
#7  0x00007f047b7a062e in accept_connection (ssock=ssock@entry=0x7f0478977c00, quota=<optimized out>) at netmgr/tcp.c:1018
#8  0x00007f047b7a137e in tcp_connection_cb (server=<optimized out>, status=<optimized out>) at netmgr/tcp.c:632
#9  0x00007f047b1892f7 in uv__server_io (loop=0x7f047a231010, w=0x7f04789781b8, events=<optimized out>) at src/unix/stream.c:570
#10 0x00007f047b18ed3d in uv__io_poll (loop=0x7f047a231010, timeout=<optimized out>) at src/unix/linux-core.c:462
#11 0x00007f047b17e8e4 in uv_run (loop=loop@entry=0x7f047a231010, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:385
#12 0x00007f047b7a201e in nm_thread (worker0=0x7f047a231000) at netmgr/netmgr.c:688
#13 0x00007f047b7d517a in isc__trampoline_run (arg=0x561a73df6500) at /usr/src/debug/isc-bind-bind-9.17.20-1.1.fc35.x86_64/lib/isc/trampoline.c:185
#14 0x00007f047ae0bad7 in start_thread (arg=<optimized out>) at pthread_create.c:435
#15 0x00007f047ae90770 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

full backtrace

named.conf

tls local-tls {
   key-file "/etc/letsencrypt/live/dns.mnowak.cz/privkey.pem";
   cert-file "/etc/letsencrypt/live/dns.mnowak.cz/fullchain.pem";
};

options {
	directory "/var/opt/isc/scls/isc-bind/named/data";
	listen-on port 443 tls local-tls http default { any; };
	listen-on-v6 port 443 tls local-tls http default { any; };
	listen-on { any; };
	listen-on-v6 { any; };
	listen-on tls ephemeral { any; };
	listen-on-v6 tls ephemeral { any; };
	dnssec-validation auto;
	recursion yes;
	allow-recursion { 2a02:8308:a007:f700::0/64; 86.49/16; localhost; };
	querylog yes;
	max-cache-size 90%;
};

statistics-channels {
	inet * port 666 allow { 2a02:8308:a007:f700::0/64; 86.49/16; localhost; };
};

logging {
	channel default_debug {
		file "named.run";
		print-time yes;
		severity dynamic;
	};
};

key "rndc-key" {
        algorithm hmac-sha256;
        secret "5BLhJni/LLWlg8Lo09iTqhvJgvLmViEmcf60b+XX07o=";
};

controls {
	inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};

core.gz

named.gz