diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 994195359f..4b32d0b6c0 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -20826,6 +20826,7 @@ checkds_done(isc_task_t *task, isc_event_t *event) {
 	/* Validate response. */
 	CHECK(validate_ds(zone, message));
 
+	/* Check RCODE. */
 	if (message->rcode != dns_rcode_noerror) {
 		dns_zone_log(zone, ISC_LOG_NOTICE,
 			     "checkds: bad DS response from %s: %.*s", addrbuf,
@@ -20833,6 +20834,17 @@ checkds_done(isc_task_t *task, isc_event_t *event) {
 		goto failure;
 	}
 
+	/* Make sure that either AA or RA bit is set. */
+	if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+	    (message->flags & DNS_MESSAGEFLAG_RA) == 0)
+	{
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "checkds: bad DS response from %s: expected AA or "
+			     "RA bit set",
+			     addrbuf);
+		goto failure;
+	}
+
 	/* Lookup DS RRset. */
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (result == ISC_R_SUCCESS) {
@@ -21055,6 +21067,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) {
 
 	message->opcode = dns_opcode_query;
 	message->rdclass = zone->rdclass;
+	message->flags |= DNS_MESSAGEFLAG_RD;
 
 	result = dns_message_gettempname(message, &tempname);
 	if (result != ISC_R_SUCCESS) {