diff --git a/CHANGES b/CHANGES
index 48b3fe212d..43a1980eb8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1546.	[bug]		We were rejecting valid secure CNAME to negative
+			answers.
+
 1545.	[bug]		It was possible to leak memory if named was unable to
 			bind to the specified transfer source and TSIG was
 			being used. [RT #10120]
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9d50684830..f96468ca79 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.272 2003/10/26 21:33:47 marka Exp $ */
+/* $Id: resolver.c,v 1.273 2004/01/05 05:42:16 marka Exp $ */
 
 #include <config.h>
 
@@ -4356,21 +4356,20 @@ answer_response(fetchctx_t *fctx) {
 				 * We could add an "else" clause here and
 				 * log that we're ignoring this rdataset.
 				 */
-				
-				/*
-				 * If wanted_chaining is true, we've done
-				 * some chaining as the result of processing
-				 * this node, and thus we need to set
-				 * chaining to true.
-				 *
-				 * We don't set chaining inside of the
-				 * rdataset loop because doing that would
-				 * cause us to ignore the signatures of
-				 * CNAMEs.
-				 */
-				if (wanted_chaining)
-					chaining = ISC_TRUE;
 			}
+			/*
+			 * If wanted_chaining is true, we've done
+			 * some chaining as the result of processing
+			 * this node, and thus we need to set
+			 * chaining to true.
+			 *
+			 * We don't set chaining inside of the
+			 * rdataset loop because doing that would
+			 * cause us to ignore the signatures of
+			 * CNAMEs.
+			 */
+			if (wanted_chaining)
+				chaining = ISC_TRUE;
 		} else {
 			/*
 			 * Look for a DNAME (or its SIG).  Anything else is
@@ -4508,7 +4507,7 @@ answer_response(fetchctx_t *fctx) {
 	/*
 	 * Did chaining end before we got the final answer?
 	 */
-	if (want_chaining) {
+	if (chaining) {
 		/*
 		 * Yes.  This may be a negative reply, so hand off
 		 * authority section processing to the noanswer code.