diff --git a/CHANGES b/CHANGES
index 9b05d6e0b7..6e6a510874 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+1494.	[security]	Turn on RSA BLINDING as a precaution.
+
 1493.	[placeholder]
 
 1492.	[cleanup]	Preserve rwlock quota context when upgrading /
diff --git a/lib/dns/sec/dst/opensslrsa_link.c b/lib/dns/sec/dst/opensslrsa_link.c
index 2214fc3e27..b9e19e6eca 100644
--- a/lib/dns/sec/dst/opensslrsa_link.c
+++ b/lib/dns/sec/dst/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.25 2002/12/13 02:51:41 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.26 2003/07/24 06:08:20 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -42,9 +42,15 @@
 
 #if OPENSSL_VERSION_NUMBER < 0x0090601fL
 #define SET_FLAGS(rsa) \
-	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE);
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
 #else
-#define SET_FLAGS(rsa) do { } while (0);
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
 #endif
 
 static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);