diff --git a/CHANGES b/CHANGES
index c274601792..f6294a7c60 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+ 427.	[bug]		Avoid going into an infinite loop when the validator
+			gets a negative response to a key query where the
+			records are signed by the missing key.
+
  426.	[bug]		Attempting to generate an oversized RSA key could
 			cause dnssec-keygen to dump core.
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 0be12a32e2..1f6a10524d 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.76 2000/08/26 01:36:58 bwelling Exp $ */
+/* $Id: validator.c,v 1.77 2000/09/07 19:46:51 bwelling Exp $ */
 
 #include <config.h>
 
@@ -1103,6 +1103,22 @@ nxtvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			if (sigrdataset == NULL)
 				continue;
 			val->seensig = ISC_TRUE;
+			if (val->event->type == dns_rdatatype_key &&
+			    dns_name_equal(name, val->event->name))
+			{
+				dns_rdata_t nxt;
+
+				if (rdataset->type != dns_rdatatype_nxt)
+					continue;
+
+				result = dns_rdataset_first(rdataset);
+				INSIST(result == ISC_R_SUCCESS);
+				dns_rdata_init(&nxt);
+				dns_rdataset_current(rdataset, &nxt);
+				if (dns_nxt_typepresent(&nxt,
+							dns_rdatatype_soa))
+					continue;
+			}
 			val->authvalidator = NULL;
 			val->currentset = rdataset;
 			result = dns_validator_create(val->view, name,