diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 68a48bd..379e8a4 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1419,7 +1419,7 @@ int in_zone(struct auth_zone *zone, char *name, char **cut);
 
 /* dnssec.c */
 #ifdef HAVE_DNSSEC
-size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int type, int edns_pktsz);
+size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, int id, int type, int edns_pktsz);
 int dnssec_validate_by_ds(time_t now, struct dns_header *header, size_t plen, char *name,
 			  char *keyname, int class, int *validate_count);
 int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char *name,
diff --git a/src/dnssec.c b/src/dnssec.c
index f5bf3f4..c42a667 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2203,8 +2203,8 @@ int dnskey_keytag(int alg, int flags, unsigned char *key, int keylen)
     }
 }
 
-size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name, int class, 
-			     int type, int edns_pktsz)
+size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char *name,
+			     int class, int id, int type, int edns_pktsz)
 {
   unsigned char *p;
   size_t ret;
@@ -2213,7 +2213,8 @@ size_t dnssec_generate_query(struct dns_header *header, unsigned char *end, char
   header->ancount = htons(0);
   header->nscount = htons(0);
   header->arcount = htons(0);
-
+  header->id = htons(id);
+  
   header->hb3 = HB3_RD; 
   SET_OPCODE(header, QUERY);
   /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
diff --git a/src/forward.c b/src/forward.c
index 1699670..2bf0a5b 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1051,7 +1051,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 	      if ((serverind = dnssec_server(forward->sentto, daemon->keyname, NULL, NULL)) != -1 &&
 		  (server = daemon->serverarray[serverind]) &&
 		  (nn = dnssec_generate_query(header, ((unsigned char *) header) + server->edns_pktsz,
-					      daemon->keyname, forward->class,
+					      daemon->keyname, forward->class, get_id(),
 					      STAT_ISEQUAL(status, STAT_NEED_KEY) ? T_DNSKEY : T_DS, server->edns_pktsz)) && 
 		  (fd = allocate_rfd(&rfds, server)) != -1 &&
 		  (newstash = blockdata_alloc((char *)header, nn)) &&
@@ -1081,8 +1081,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 		  forward->stash_len = plen;
 		  forward->stash = stash;
 		  
-		  new->new_id = get_id();
-		  header->id = htons(new->new_id);
+		  new->new_id = ntohs(header->id);
 		  /* Save query for retransmission and de-dup */
 		  new->stash = newstash;
 		  new->stash_len = nn;
@@ -2225,7 +2224,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	  break;
 	}
       
-      m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, 
+      m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, 0,
 				STAT_ISEQUAL(new_status, STAT_NEED_KEY) ? T_DNSKEY : T_DS, server->edns_pktsz);
       
       if ((start = dnssec_server(server, keyname, &first, &last)) == -1)