diff --git a/CHANGES b/CHANGES
index b182db0706..bb2fc405a2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4171.	[bug]		Fixed incorrect class checks in TSIG RR
+			implementation. [RT #40287]
+
 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
 			rdatatype could trigger an assertion failure.
 			[RT #40286]
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
index 3f91f91c00..7c7bdce35b 100644
--- a/lib/dns/rdata/any_255/tsig_250.c
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -529,8 +529,8 @@ freestruct_any_tsig(ARGS_FREESTRUCT) {
 	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *) source;
 
 	REQUIRE(source != NULL);
-	REQUIRE(tsig->common.rdclass == 255);
 	REQUIRE(tsig->common.rdtype == 250);
+	REQUIRE(tsig->common.rdclass == 255);
 
 	if (tsig->mctx == NULL)
 		return;
@@ -586,7 +586,7 @@ static inline isc_boolean_t
 checknames_any_tsig(ARGS_CHECKNAMES) {
 
 	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 250);
+	REQUIRE(rdata->rdclass == 255);
 
 	UNUSED(rdata);
 	UNUSED(owner);