diff --git a/CHANGES b/CHANGES
index 660e3062ca..947690651f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2013.	[bug]		Handle unexpected TSIGs on unsigned AXFR/IXFR
+			responses more gracefully. [RT #15941]
+
 2012.	[func]		Don't insert new acache entries if acache is full.
 			[RT #15970]
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index ff1c798bc5..eafaadeac8 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.125 2006/03/08 03:51:01 marka Exp $
+ * $Id: tsig.c,v 1.126 2006/05/02 04:07:36 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -855,8 +855,11 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 
 	msg->verify_attempted = 1;
 
-	if (msg->tcp_continuation)
+	if (msg->tcp_continuation) {
+		if (tsigkey == NULL || msg->querytsig == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
 		return (tsig_verify_tcp(source, msg));
+	}
 
 	/*
 	 * There should be a TSIG record...