diff --git a/CHANGES b/CHANGES
index cb245b1ed8..141ee08fdc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2245.	[bug]		Validating lack of DS records at trust anchors wasn't
+			working. [RT #17151]
+
 2244.	[func]		Allow the check of nameserver names against the
 			SOA MNAME field to be disabled by specifying
 			'notify-to-soa yes;'.  [RT #17073]
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index e749c7f3bc..167e24258e 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.38 2007/06/18 23:47:42 tbox Exp $ */
+/* $Id: validator.h,v 1.39 2007/09/19 03:38:56 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -81,11 +81,24 @@ typedef struct dns_validatorevent {
 	ISC_EVENT_COMMON(struct dns_validatorevent);
 	dns_validator_t *		validator;
 	isc_result_t			result;
+	/*
+	 * Name and type of the response to be validated.
+	 */
 	dns_name_t *			name;
 	dns_rdatatype_t			type;
+	/*
+	 * Rdata and RRSIG (if any) for positive responses.
+	 */
 	dns_rdataset_t *		rdataset;
 	dns_rdataset_t *		sigrdataset;
+	/*
+	 * The full response.  Required for negative responses.
+	 * Also required for positive wildcard responses.
+	 */
 	dns_message_t *			message;
+	/*
+	 * Proofs to be cached.
+	 */
 	dns_name_t *			proofs[3];
 } dns_validatorevent_t;
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1630576ab6..007432612e 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.154 2007/09/14 05:43:05 marka Exp $ */
+/* $Id: validator.c,v 1.155 2007/09/19 03:38:55 marka Exp $ */
 
 #include <config.h>
 
@@ -2390,6 +2390,10 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
 		dns_fixedname_init(&val->dlvsep);
 		dlvsep = dns_fixedname_name(&val->dlvsep);
 		dns_name_copy(val->event->name, dlvsep, NULL);
+		/*
+		 * If this is a response to a DS query, we need to look in
+		 * the parent zone for the trust anchor.
+		 */
 		if (val->event->type == dns_rdatatype_ds) {
 			labels = dns_name_countlabels(dlvsep);
 			if (labels == 0)
@@ -2492,9 +2496,16 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 	if (val->havedlvsep)
 		dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
 	else {
+		dns_name_copy(val->event->name, secroot, NULL);
+		/*
+		 * If this is a response to a DS query, we need to look in
+		 * the parent zone for the trust anchor.
+		 */
+		if (val->event->type == dns_rdatatype_ds &&
+		    dns_name_countlabels(secroot) > 1U)
+			dns_name_split(secroot, 1, NULL, secroot);
 		result = dns_keytable_finddeepestmatch(val->keytable,
-						       val->event->name,
-						       secroot);
+						       secroot, secroot);
 	
 		if (result == ISC_R_NOTFOUND) {
 			validator_log(val, ISC_LOG_DEBUG(3),