diff --git a/CHANGES b/CHANGES
index a9f5ef9e7f..925f52f6bf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2877.	[bug]		The validator failed to skip obviously mismatching
+			RRSIGs. [RT #21138]
+
 2876.	[bug]		Named could return SERVFAIL for negative responses
 			from unsigned zones. [RT #21131]
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 094bb8ae12..f183d0b50f 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.189 2010/04/21 04:16:49 marka Exp $ */
+/* $Id: validator.c,v 1.190 2010/04/21 05:45:47 marka Exp $ */
 
 #include <config.h>
 
@@ -2119,7 +2119,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 					     &sigrdata);
 			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if (dlv.key_tag != sig.keyid &&
+			if (dlv.key_tag != sig.keyid ||
 			    dlv.algorithm != sig.algorithm)
 				continue;
 			dstkey = NULL;