diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index be4f2668d9..20fc75897f 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -625,12 +625,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	tkey_log("process_gsstkey(): dns_tsigerror_noerror");   /* XXXSRA */
 
 	/*
-	 * We found a TKEY to respond with.  We don't know if
-	 * the request is TSIG signed, but if it is not we need to make
-	 * sure the response is signed (RFC 2845 secton 2.2).
+	 * We found a TKEY to respond with.  If the request is not TSIG signed,
+	 * we need to make sure the response is signed (see RFC 3645, Section
+	 * 2.2).
 	 */
-
-	if (tsigkey != NULL) {
+	if (tsigkey != NULL && msg->tsigkey == NULL && msg->sig0key == NULL) {
 		dns_message_settsigkey(msg, tsigkey);
 	}
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 79afd3f15c..bb66c5f174 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -778,7 +778,16 @@ dns_tsig_sign(dns_message_t *msg) {
 	key = dns_message_gettsigkey(msg);
 	REQUIRE(VALID_TSIG_KEY(key));
 
+	/*
+	 * If this is a response, there should be a TSIG in the query with the
+	 * the exception if this is a TKEY request (see RFC 3645, Section 2.2).
+	 */
 	response = is_response(msg);
+	if (response && msg->querytsig == NULL) {
+		if (msg->tkey != 1) {
+			return (DNS_R_EXPECTEDTSIG);
+		}
+	}
 
 	mctx = msg->mctx;