diff --git a/CHANGES b/CHANGES
index 39608fe428..081788080f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2720.	[bug]		RFC 5011 trust anchor updates could trigger an
+			assert if the DNSKEY record was unsigned. [RT #20406]
+
 2719.	[func]		Skip trusted/managed keys for unsupported algorithms.
 			[RT #20392]
 
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 978f528c2c..001c3ae070 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.518 2009/10/20 02:45:06 marka Exp $ */
+/* $Id: zone.c,v 1.519 2009/10/20 04:13:38 each Exp $ */
 
 /*! \file */
 
@@ -7042,7 +7042,8 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dns_diff_init(zone->mctx, &diff);
 
 	/* Fetch failed */
-	if (eresult != ISC_R_SUCCESS) {
+	if (eresult != ISC_R_SUCCESS ||
+	    !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
 		dns_zone_log(zone, ISC_LOG_WARNING,
 			     "Unable to fetch DNSKEY set "
 			     "'%s': %s", namebuf, dns_result_totext(eresult));
@@ -7050,6 +7051,15 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		goto failure;
 	}
 
+	/* No RRSIGs found */
+	if (!dns_rdataset_isassociated(&kfetch->dnskeysigset)) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "No DNSKEY RRSIGs found for "
+			     "'%s': %s", namebuf, dns_result_totext(eresult));
+		CHECK(minimal_update(kfetch, ver, &diff));
+		goto failure;
+	}
+
 	/*
 	 * Validate the dnskeyset against the current trusted keys.
 	 * (Note, if a key has been revoked and isn't RSAMD5, then