diff --git a/src/dnssec.c b/src/dnssec.c
index 8143185..8ff7a73 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -872,7 +872,7 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
   if (qtype != T_DS || qclass != class)
     rc = STAT_BOGUS;
   else
-    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 0, &neganswer, &nons);
+    rc = dnssec_validate_reply(now, header, plen, name, keyname, NULL, 1, &neganswer, &nons);
   
   if (rc == STAT_INSECURE)
     rc = STAT_BOGUS;
@@ -1966,35 +1966,36 @@ int dnssec_validate_reply(time_t now, struct dns_header *header, size_t plen, ch
     }
 
   /* OK, all the RRsets validate, now see if we have a missing answer or CNAME target. */
-  for (j = 0; j <targetidx; j++)
-    if ((p2 = targets[j]))
-      {
-	if (neganswer)
-	  *neganswer = 1;
-
-	if (!extract_name(header, plen, &p2, name, 1, 10))
-	  return STAT_BOGUS; /* bad packet */
-	    
-	/* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
-
-	/* For anything other than a DS record, this situation is OK if either
-	   the answer is in an unsigned zone, or there's a NSEC records. */
-	if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
-	  {
-	    /* Empty DS without NSECS */
-	    if (qtype == T_DS)
-	      return STAT_BOGUS;
-	    
-	    if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
-	      {
-		if (class)
-		  *class = qclass; /* Class for NEED_DS or NEED_KEY */
-		return rc;
-	      } 
-	    
-	    return STAT_BOGUS; /* signed zone, no NSECs */
-	  }
-      }
+  if (check_unsigned)
+    for (j = 0; j <targetidx; j++)
+      if ((p2 = targets[j]))
+	{
+	  if (neganswer)
+	    *neganswer = 1;
+	  
+	  if (!extract_name(header, plen, &p2, name, 1, 10))
+	    return STAT_BOGUS; /* bad packet */
+	  
+	  /* NXDOMAIN or NODATA reply, unanswered question is (name, qclass, qtype) */
+	  
+	  /* For anything other than a DS record, this situation is OK if either
+	     the answer is in an unsigned zone, or there's a NSEC records. */
+	  if (!prove_non_existence(header, plen, keyname, name, qtype, qclass, NULL, nons))
+	    {
+	      /* Empty DS without NSECS */
+	      if (qtype == T_DS)
+		return STAT_BOGUS;
+	      
+	      if ((rc = zone_status(name, qclass, keyname, now)) != STAT_SECURE)
+		{
+		  if (class)
+		    *class = qclass; /* Class for NEED_DS or NEED_KEY */
+		  return rc;
+		} 
+	      
+	      return STAT_BOGUS; /* signed zone, no NSECs */
+	    }
+	}
   
   return secure;
 }