diff --git a/CHANGES b/CHANGES
index f54fba63bb..75e4392706 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1696.	[bug]		dnssec-signzone failed to clean out nodes that
+			consisted of only NSEC and RRSIG records.
+			[RT #12154]
+
 1695.	[bug]		DS records when forwarding require special handling.
 			[RT #12133]
 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 9c3940650d..b5777598cb 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.179 2004/06/11 01:12:40 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.180 2004/08/11 08:55:47 marka Exp $ */
 
 #include <config.h>
 
@@ -914,7 +914,8 @@ active_node(dns_dbnode_t *node) {
 	result = dns_rdatasetiter_first(rdsiter);
 	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec)
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_rrsig)
 			active = ISC_TRUE;
 		dns_rdataset_disassociate(&rdataset);
 		if (!active)
@@ -925,18 +926,41 @@ active_node(dns_dbnode_t *node) {
 	if (result != ISC_R_NOMORE)
 		fatal("rdataset iteration failed: %s",
 		      isc_result_totext(result));
-	dns_rdatasetiter_destroy(&rdsiter);
 
 	if (!active) {
 		/*
-		 * Make sure there is no NSEC record for this node.
+		 * Make sure there is no NSEC / RRSIG records for
+		 * this node.
 		 */
 		result = dns_db_deleterdataset(gdb, node, gversion,
 					       dns_rdatatype_nsec, 0);
 		if (result == DNS_R_UNCHANGED)
 			result = ISC_R_SUCCESS;
-		check_result(result, "dns_db_deleterdataset");
+		check_result(result, "dns_db_deleterdataset(nsec)");
+		
+		result = dns_rdatasetiter_first(rdsiter);
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter)) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			if (rdataset.type == dns_rdatatype_rrsig) {
+				dns_rdatatype_t type = rdataset.type;
+				dns_rdatatype_t covers = rdataset.covers;
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion, type,
+							       covers);
+				if (result == DNS_R_UNCHANGED)
+					result = ISC_R_SUCCESS;
+				check_result(result,
+					     "dns_db_deleterdataset(rrsig)");
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result != ISC_R_NOMORE)
+			fatal("rdataset iteration failed: %s",
+			      isc_result_totext(result));
 	}
+	dns_rdatasetiter_destroy(&rdsiter);
 
 	return (active);
 }