diff --git a/CHANGES b/CHANGES
index a11dde4e00..ae2eaa6919 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+1275.	[bug]		When verifying that an NXT proves nonexistence, check
+			the rcode of the message and only do the matching NXT
+			check.  That is, for NXDOMAIN responses, check that
+			the name is in the range between the NXT owner and
+			next name, and for NOERROR NODATA responses, check
+			that the type is not present in the NXT bitmap.
+
 1274.	[func]		preferred-glue option from BIND 8.3.
 
 1273.	[bug]		The dnssec system test failed to remove the correct
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 4806006d6b..78a6705cb4 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.103 2002/02/20 03:34:22 marka Exp $ */
+/* $Id: validator.c,v 1.104 2002/04/29 23:50:24 marka Exp $ */
 
 #include <config.h>
 
@@ -345,8 +345,16 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 {
 	int order;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t isnxdomain;
 	isc_result_t result;
 
+	INSIST(DNS_MESSAGE_VALID(val->event->message));
+
+	if (val->event->message->rcode == dns_rcode_nxdomain)
+		isnxdomain = ISC_TRUE;
+	else
+		isnxdomain = ISC_FALSE;
+
 	result = dns_rdataset_first(nxtset);
 	if (result != ISC_R_SUCCESS) {
 		validator_log(val, ISC_LOG_DEBUG(3),
@@ -359,8 +367,13 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 	order = dns_name_compare(val->event->name, nxtname);
 	if (order == 0) {
 		/*
-		 * The names are the same, so look for the type present bit.
+		 * The names are the same.  Look for the type present bit.
 		 */
+		if (isnxdomain) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "NXT record seen at nonexistent name");
+			return (ISC_FALSE);
+		}
 		if (val->event->type >= 128) {
 			validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
 				      val->event->type);
@@ -379,6 +392,11 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
 		/*
 		 * The NXT owner name is less than the nonexistent name.
 		 */
+		if (!isnxdomain) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "missing NXT record at name");
+			return (ISC_FALSE);
+		}
 		result = dns_rdata_tostruct(&rdata, &nxt, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (ISC_FALSE);