diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 95af49c3a2..d7aa394f92 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -328,6 +328,16 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	}
 	dns_rdataset_current(nsecset, &rdata);
 
+#ifdef notyet
+	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "NSEC missing RRSIG and/or NSEC from type map");
+		return (ISC_R_IGNORE);
+	}
+#endif
+
 	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
 	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
 
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 71a65d4894..ce88b2df51 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -10069,6 +10069,14 @@ query_coveringnsec(query_ctx_t *qctx) {
 		goto cleanup;
 	}
 
+	/*
+	 * If NSEC or RRSIG are missing from the type map
+	 * reject the NSEC RRset.
+	 */
+	if (!dns_nsec_requiredtypespresent(qctx->rdataset)) {
+		goto cleanup;
+	}
+
 	/*
 	 * Check that we have the correct NOQNAME NSEC record.
 	 */