diff --git a/CHANGES b/CHANGES
index e3b3ada5df1382b7996e614a20c976035912c2c4..4d73a73b37085e1dbdf0b73a6b17f76737ecfd47 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+6017.	[bug]		The view's zone table was not locked when it should
+			have been leading to race conditions when external
+			extensions that manipulate the zone table where in
+			use. [GL #3468]
+
 6016.	[func]		Change NSEC3PARAM TTL to match the SOA MINIMUM.
 			[GL #3570]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index b38e00d027a3e5079a8bffc60edd2345892a81fd..698e20d1d0d6a49bb948a769f02bbb7a86b51c33 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9835,8 +9835,8 @@ cleanup_viewlist:
 		if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0)
 		{
 			dns_view_setviewrevert(view);
-			(void)dns_zt_apply(view->zonetable, false, NULL,
-					   removed, view);
+			(void)dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+					   false, NULL, removed, view);
 		}
 		dns_view_detach(&view);
 	}
@@ -11535,8 +11535,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
 	ISC_LIST_INIT(vle->zonelist);
 	ISC_LIST_APPEND(dctx->viewlist, vle, link);
 	if (dctx->dumpzones) {
-		result = dns_zt_apply(view->zonetable, true, NULL,
-				      add_zone_tolist, dctx);
+		result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+				      true, NULL, add_zone_tolist, dctx);
 	}
 	return (result);
 }
@@ -12862,7 +12862,8 @@ named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
 		for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
 		     view = ISC_LIST_NEXT(view, link))
 		{
-			result = dns_zt_apply(view->zonetable, false, NULL,
+			result = dns_zt_apply(view->zonetable,
+					      isc_rwlocktype_none, false, NULL,
 					      synczone, &cleanup);
 			if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS)
 			{
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 801878e2bca4227da5b05ec7374e86c721a86aab..9484c2870efc237cf1df0ee28a9b4f65257078ed 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -2254,8 +2254,8 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
 		if ((flags & STATS_XML_ZONES) != 0) {
 			TRY0(xmlTextWriterStartElement(writer,
 						       ISC_XMLCHAR "zones"));
-			CHECK(dns_zt_apply(view->zonetable, true, NULL,
-					   zone_xmlrender, writer));
+			CHECK(dns_zt_apply(view->zonetable, isc_rwlocktype_read,
+					   true, NULL, zone_xmlrender, writer));
 			TRY0(xmlTextWriterEndElement(writer)); /* /zones */
 		}
 
@@ -2985,8 +2985,9 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
 			CHECKMEM(za);
 
 			if ((flags & STATS_JSON_ZONES) != 0) {
-				CHECK(dns_zt_apply(view->zonetable, true, NULL,
-						   zone_jsonrender, za));
+				CHECK(dns_zt_apply(view->zonetable,
+						   isc_rwlocktype_read, true,
+						   NULL, zone_jsonrender, za));
 			}
 
 			if (json_object_array_length(za) != 0) {
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index 4b001234ba8adb3432fc038e0f4199d4853b4e37..077b26ddeac53273f597013eb30e73d4cf55e9d5 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -168,7 +168,7 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze);
  */
 
 isc_result_t
-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
 /*%<
  * Apply a given 'action' to all zone zones in the table.
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 8fcf23345ca47d543f128629eb9a083796f1b3b3..43bdfc6fe71d2392f87f47a5645ca73ca76fd0e8 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -611,7 +611,8 @@ dns_view_dialup(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	REQUIRE(view->zonetable != NULL);
 
-	(void)dns_zt_apply(view->zonetable, false, NULL, dialup, NULL);
+	(void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, false, NULL,
+			   dialup, NULL);
 }
 
 void
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
index aab623329a23784afaeb21f6ff12aba13e6489de..cbc0a8df5fdb6c0ef14e6414aca3fc53209ea4f9 100644
--- a/lib/dns/zt.c
+++ b/lib/dns/zt.c
@@ -228,7 +228,8 @@ zt_destroy(dns_zt_t *zt) {
 	isc_refcount_destroy(&zt->loads_pending);
 
 	if (atomic_load_acquire(&zt->flush)) {
-		(void)dns_zt_apply(zt, false, NULL, flush, NULL);
+		(void)dns_zt_apply(zt, isc_rwlocktype_none, false, NULL, flush,
+				   NULL);
 	}
 
 	dns_rbt_destroy(&zt->table);
@@ -263,9 +264,8 @@ dns_zt_load(dns_zt_t *zt, bool stop, bool newonly) {
 	struct zt_load_params params;
 	REQUIRE(VALID_ZT(zt));
 	params.newonly = newonly;
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, stop, NULL, load, &params);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, isc_rwlocktype_read, stop, NULL, load,
+			      &params);
 	return (result);
 }
 
@@ -336,9 +336,8 @@ dns_zt_asyncload(dns_zt_t *zt, bool newonly, dns_zt_allloaded_t alldone,
 	zt->loaddone = alldone;
 	zt->loaddone_arg = arg;
 
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, false, NULL, asyncload, zt);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, isc_rwlocktype_read, false, NULL, asyncload,
+			      zt);
 
 	/*
 	 * Have all the loads completed?
@@ -384,9 +383,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze) {
 
 	REQUIRE(VALID_ZT(zt));
 
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, false, &tresult, freezezones, &params);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, isc_rwlocktype_read, false, &tresult,
+			      freezezones, &params);
 	if (tresult == ISC_R_NOTFOUND) {
 		tresult = ISC_R_SUCCESS;
 	}
@@ -522,7 +520,7 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
 }
 
 isc_result_t
-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop, isc_result_t *sub,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap) {
 	dns_rbtnode_t *node;
 	dns_rbtnodechain_t chain;
@@ -532,6 +530,10 @@ dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
 	REQUIRE(VALID_ZT(zt));
 	REQUIRE(action != NULL);
 
+	if (lock != isc_rwlocktype_none) {
+		RWLOCK(&zt->rwlock, lock);
+	}
+
 	dns_rbtnodechain_init(&chain);
 	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
 	if (result == ISC_R_NOTFOUND) {
@@ -568,6 +570,10 @@ cleanup:
 		*sub = tresult;
 	}
 
+	if (lock != isc_rwlocktype_none) {
+		RWUNLOCK(&zt->rwlock, lock);
+	}
+
 	return (result);
 }
 
diff --git a/tests/dns/zt_test.c b/tests/dns/zt_test.c
index b164b74e17d92361e14fc2dcc3c9a3d27743380f..0f4769510346dc4d1e7cc4d97e019566904f2a0f 100644
--- a/tests/dns/zt_test.c
+++ b/tests/dns/zt_test.c
@@ -66,8 +66,8 @@ ISC_LOOP_TEST_IMPL(apply) {
 	assert_non_null(view->zonetable);
 
 	assert_int_equal(nzones, 0);
-	result = dns_zt_apply(view->zonetable, false, NULL, count_zone,
-			      &nzones);
+	result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, false, NULL,
+			      count_zone, &nzones);
 	assert_int_equal(result, ISC_R_SUCCESS);
 	assert_int_equal(nzones, 1);