diff --git a/CHANGES b/CHANGES
index 93024ccb9a..e4521d7af9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3422.	[bug]		Added a clear error message for when the SOA does not 
+			match the referral. [RT #31281]
+
 3421.	[bug]		Named loops when re-signing if all keys are offline.
 			[RT #31916]
 
diff --git a/bin/tests/system/resolver/ans2/ans.pl b/bin/tests/system/resolver/ans2/ans.pl
index f2e4ef0075..c9471b766e 100644
--- a/bin/tests/system/resolver/ans2/ans.pl
+++ b/bin/tests/system/resolver/ans2/ans.pl
@@ -94,6 +94,10 @@ for (;;) {
 		# expected to be accepted regardless of the filter setting.
 		$packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org"));
 		$packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3"));
+	} elsif ($qname =~ /\.broken/) {
+		# Delegation to broken TLD.
+		$packet->push("authority", new Net::DNS::RR("broken 300 NS ns.broken"));
+		$packet->push("additional", new Net::DNS::RR("ns.broken 300 A 10.53.0.4"));
 	} else {
 		# Data for the "bogus referrals" test
 		$packet->push("authority", new Net::DNS::RR("below.www.example.com 300 NS ns.below.www.example.com"));
diff --git a/bin/tests/system/resolver/ns4/broken.db b/bin/tests/system/resolver/ns4/broken.db
new file mode 100644
index 0000000000..598c0a0cc9
--- /dev/null
+++ b/bin/tests/system/resolver/ns4/broken.db
@@ -0,0 +1,29 @@
+; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: tld1.db,v 1.3 2012/02/09 23:47:18 tbox Exp $ 
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	ns.tld.
+ns			A	10.53.0.4
+$TTL 5
+sub.broken. 		NS	ns.sub.broken.
+ns.sub.broken.		A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns4/named.conf b/bin/tests/system/resolver/ns4/named.conf
index c7a7d6107f..e23b99f1d9 100644
--- a/bin/tests/system/resolver/ns4/named.conf
+++ b/bin/tests/system/resolver/ns4/named.conf
@@ -52,6 +52,11 @@ zone "tld" {
 	file "tld.db";
 };
 
+zone "broken" {
+	type master;
+	file "broken.db";
+};
+
 key rndc_key {
         secret "1234abcd8765";
         algorithm hmac-md5;
diff --git a/bin/tests/system/resolver/ns6/broken.db b/bin/tests/system/resolver/ns6/broken.db
new file mode 100644
index 0000000000..017e4b67f6
--- /dev/null
+++ b/bin/tests/system/resolver/ns6/broken.db
@@ -0,0 +1,33 @@
+; Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: to-be-removed.tld.db.in,v 1.3 2012/02/09 23:47:18 tbox Exp $
+
+$TTL 600
+@	IN SOA	ns hostmaster 1 1800 900 604800 600
+@	IN NS	ns
+ns	IN A	10.53.0.6
+ns0	IN A	10.53.0.6
+ns1	IN A	10.53.0.6
+ns2	IN A	10.53.0.6
+ns3	IN A	10.53.0.6
+ns4	IN A	10.53.0.6
+ns5	IN A	10.53.0.6
+ns6	IN A	10.53.0.6
+ns7	IN A	10.53.0.6
+ns8	IN A	10.53.0.6
+ns9	IN A	10.53.0.6
+$TTL 1
+@	IN A	10.53.0.6
+www.sub	IN A	10.53.0.6
diff --git a/bin/tests/system/resolver/ns6/named.conf b/bin/tests/system/resolver/ns6/named.conf
index c721d4673a..35cccb79df 100644
--- a/bin/tests/system/resolver/ns6/named.conf
+++ b/bin/tests/system/resolver/ns6/named.conf
@@ -48,3 +48,9 @@ zone "to-be-removed.tld" {
 	file "to-be-removed.tld.db";
 	allow-update { any; };
 };
+
+zone "broken" {
+	type master;
+	file "broken.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 92834fdce2..a803916577 100644
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -293,6 +293,13 @@ done
 [ $ret = 0 ] && ret=$foo; 
 if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
 
+echo "I:check for improved error message with SOA mismatch"
+ret=0
+$DIG @10.53.0.1 -p 5300 www.sub.broken aaaa > dig.out.${n} || ret=1
+grep "not subdomain of zone" ns1/named.run > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 
 exit $status
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 0585995203..b4d71d5d44 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5402,10 +5402,10 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 {
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
+	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name, *save_name;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t aa, negative_response;
-	dns_rdatatype_t type;
+	dns_rdatatype_t type, save_type;
 	dns_section_t section;
 
 	FCTXTRACE("noanswer_response");
@@ -5472,6 +5472,8 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 	ns_rdataset = NULL;
 	soa_name = NULL;
 	ds_name = NULL;
+	save_name = NULL;
+	save_type = dns_rdatatype_none;
 	result = dns_message_firstname(message, section);
 	while (result == ISC_R_SUCCESS) {
 		name = NULL;
@@ -5670,6 +5672,9 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 							dns_trust_additional;
 				}
 			}
+		} else {
+			save_name = name;
+			save_type = ISC_LIST_HEAD(name->list)->type;
 		}
 		result = dns_message_nextname(message, section);
 		if (result == ISC_R_NOMORE)
@@ -5705,7 +5710,27 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 			/*
 			 * The responder is insane.
 			 */
-			log_formerr(fctx, "invalid response");
+			if (save_name == NULL) {
+				log_formerr(fctx, "invalid response");
+				return (DNS_R_FORMERR);
+			}
+			if (!dns_name_issubdomain(save_name, &fctx->domain)) {
+				char nbuf[DNS_NAME_FORMATSIZE];
+				char dbuf[DNS_NAME_FORMATSIZE];
+				char tbuf[DNS_RDATATYPE_FORMATSIZE];
+			
+				dns_rdatatype_format(save_type, tbuf, 
+					sizeof(tbuf));
+				dns_name_format(save_name, nbuf, sizeof(nbuf));
+				dns_name_format(&fctx->domain, dbuf, 
+					sizeof(dbuf));
+			
+				log_formerr(fctx, "Name %s (%s) not subdomain"
+					" of zone %s -- invalid response",
+					nbuf, tbuf, dbuf);
+			} else {
+				log_formerr(fctx, "invalid response");
+			}
 			return (DNS_R_FORMERR);
 		}
 	}