diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 937748e305..c7b2123a94 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -542,6 +542,18 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
 
 	rdtype = rdataset->type;
 
+	switch (rdataset->trust) {
+	case dns_trust_glue:
+	case dns_trust_additional:
+		rdataset->ttl = ADB_CACHE_MINIMUM;
+		break;
+	case dns_trust_ultimate:
+		rdataset->ttl = 0;
+		break;
+	default:
+		rdataset->ttl = ttlclamp(rdataset->ttl);
+	}
+
 	REQUIRE(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
 
 	for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS;
@@ -601,22 +613,24 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
 
 	switch (rdtype) {
 	case dns_rdatatype_a:
-		DP(NCACHE_LEVEL,
-		   "expire_v4 set to MIN(%u,%u,%u) import_rdataset",
-		   adbname->expire_v4, now + ADB_ENTRY_WINDOW,
-		   now + rdataset->ttl);
-		adbname->expire_v4 = ISC_MIN(
-			adbname->expire_v4,
-			ISC_MIN(now + ADB_ENTRY_WINDOW, now + rdataset->ttl));
+		adbname->expire_v4 =
+			(rdataset->ttl != 0)
+				? ISC_MIN(adbname->expire_v4,
+					  ISC_MAX(now + ADB_ENTRY_WINDOW,
+						  now + rdataset->ttl))
+				: INT_MAX;
+		DP(NCACHE_LEVEL, "expire_v4 set to %u import_rdataset",
+		   adbname->expire_v4);
 		break;
 	case dns_rdatatype_aaaa:
-		DP(NCACHE_LEVEL,
-		   "expire_v6 set to MIN(%u,%u,%u) import_rdataset",
-		   adbname->expire_v6, now + ADB_ENTRY_WINDOW,
-		   now + rdataset->ttl);
-		adbname->expire_v6 = ISC_MIN(
-			adbname->expire_v6,
-			ISC_MIN(now + ADB_ENTRY_WINDOW, now + rdataset->ttl));
+		adbname->expire_v6 =
+			(rdataset->ttl != 0)
+				? ISC_MIN(adbname->expire_v6,
+					  ISC_MAX(now + ADB_ENTRY_WINDOW,
+						  now + rdataset->ttl))
+				: INT_MAX;
+		DP(NCACHE_LEVEL, "expire_v6 set to %u import_rdataset",
+		   adbname->expire_v6);
 		break;
 	default:
 		UNREACHABLE();