diff --git a/NEWS b/NEWS
index 7f26db736eea2fe0626b93a8ce522c61412325b6..5962f1d3be7f9c06935338859cf516f0cb973951 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,7 @@ Incompatible changes
 --------------------
 - minor changes in module API; see upgrading guide:
   https://knot-resolver.readthedocs.io/en/stable/upgrading.html
+- fix SERVFAIL while processing forwarded CNAME to a sibling zone (#614, !1070)
 
 
 Knot Resolver 5.1.3 (2020-09-08)
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 398af594ba8f07e0fdea86e1bf7a6c89f5d1ae3d..4afd5d0fcb72d510ac136ea37b8a7a4f82660936 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -609,15 +609,17 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
 		}
 		/* The validator still can't handle multiple zones in one answer,
 		 * so we only follow if a single label is replaced.
-		 * TODO: this still isn't 100%, as the target might have a NS+DS,
-		 * possibly leading to a SERVFAIL for the in-bailiwick name. */
+		 * Forwarding appears to be even more sensitive to this.
+		 * TODO: iteration can probably handle the remaining cases,
+		 * but overall it would be better to have a smarter validator
+		 * (and thus save roundtrips).*/
 		const int pending_labels = knot_dname_labels(pending_cname, NULL);
 		if (pending_labels != cname_labels) {
 			cname = pending_cname;
 			break;
 		}
-		if (knot_dname_matched_labels(pending_cname, cname) !=
-		    (cname_labels - 1)) {
+		if (knot_dname_matched_labels(pending_cname, cname) != cname_labels - 1
+		    || query->flags.FORWARD) {
 			cname = pending_cname;
 			break;
 		}
diff --git a/tests/integration/deckard b/tests/integration/deckard
index 6168c4f31eea1193c202cbb14fe7c34002b53765..5516e290cbd6a578f3ac907d9244ef20ff280bf8 160000
--- a/tests/integration/deckard
+++ b/tests/integration/deckard
@@ -1 +1 @@
-Subproject commit 6168c4f31eea1193c202cbb14fe7c34002b53765
+Subproject commit 5516e290cbd6a578f3ac907d9244ef20ff280bf8