diff --git a/CHANGES b/CHANGES
index 7be817a6a6..138cefccb1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1853.	[bug]		Rework how DLV interacts with proveunsecure().
+			[RT #13605]
+
 1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
 			dnssec-makekeyset (removed from Makefile years ago).
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1c733e56eb..25a474d41a 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.128 2005/04/27 04:56:52 sra Exp $ */
+/* $Id: validator.c,v 1.129 2005/05/06 01:59:38 marka Exp $ */
 
 /*! \file */
 
@@ -2355,9 +2355,10 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 					       val->event->name,
 					       dns_fixedname_name(&secroot));
 	/*
-	 * If the name is not under a security root, it must be insecure.
+	 * If the name is not under a security root look for a dlv record.
 	 */
-	if (val->view->dlv != NULL && !DLVSEPTRIED(val) && 
+	if (result == ISC_R_NOTFOUND &&
+	    val->view->dlv != NULL && !DLVSEPTRIED(val) && 
 	    !dns_name_issubdomain(val->event->name, val->view->dlv)) {
 		tresult = finddlvsep(val, ISC_FALSE);
 		if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) {
@@ -2368,6 +2369,11 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 		}
 	}
 
+	/*
+	 * If there is no security root and a dlv record was not found we are
+	 * done.  If a dlv record was found use that as the secure entry point,
+	 * if no security root was found.
+	 */
 	if (result == ISC_R_NOTFOUND) {
 		if (!val->havedlvsep) {
 			validator_log(val, ISC_LOG_DEBUG(3),
@@ -2438,7 +2444,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
 			/*
 			 * There is no DS.  If this is a delegation,
-			 * we're done.
+			 * we maybe done.
 			 */
 			if (val->frdataset.trust < dns_trust_secure) {
 				/*
@@ -2451,6 +2457,25 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
 				goto out;
 			}
 			if (isdelegation(tname, &val->frdataset, result)) {
+				/*
+				 * If we havn't looked for a dlvsep look for
+				 * one now.  If found restart the proof.
+				 */
+				if (val->view->dlv != NULL &&
+				    !DLVSEPTRIED(val) && 
+				    !dns_name_issubdomain(val->event->name,
+							  val->view->dlv)) {
+					tresult = finddlvsep(val, ISC_FALSE);
+					if (tresult != ISC_R_NOTFOUND &&
+					    tresult != ISC_R_SUCCESS) {
+						validator_log(val,
+							      ISC_LOG_DEBUG(3),
+						    "finddlvsep returned: %s",
+						    dns_result_totext(tresult));
+						return (tresult);
+					}
+					return (proveunsecure(val, ISC_FALSE));
+				}
 				if (val->mustbesecure) {
 					validator_log(val, ISC_LOG_WARNING,
 						      "must be secure failure");