diff --git a/CHANGES b/CHANGES
index 5f2b357b75..2527e5525b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3512.	[func]		"rndc validation check" reports the current status
+			of DNSSEC validation. [RT #21397]
+
 3511.	[doc]		Improve documentation of redirect zones. [RT #32756]
 
 3510.	[func]		"rndc status" and XML statistics channel now report
diff --git a/bin/named/control.c b/bin/named/control.c
index a48e2d1cbc..8d85975c4b 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -197,7 +197,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
 		result = ns_server_notifycommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
-		result = ns_server_validation(ns_g_server, command);
+		result = ns_server_validation(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_SIGN) ||
 		   command_compare(command, NS_COMMAND_LOADKEYS)) {
 		result = ns_server_rekey(ns_g_server, command);
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index dd2679e481..b586f5c4ac 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -338,7 +338,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr);
  * Enable or disable dnssec validation.
  */
 isc_result_t
-ns_server_validation(ns_server_t *server, char *args);
+ns_server_validation(ns_server_t *server, char *args, isc_buffer_t *text);
 
 /*%
  * Add a zone to a running process
diff --git a/bin/named/server.c b/bin/named/server.c
index c6bba0eb73..875e750eb9 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -7333,12 +7333,12 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 }
 
 isc_result_t
-ns_server_validation(ns_server_t *server, char *args) {
+ns_server_validation(ns_server_t *server, char *args, isc_buffer_t *text) {
 	char *ptr, *viewname;
 	dns_view_t *view;
 	isc_boolean_t changed = ISC_FALSE;
 	isc_result_t result;
-	isc_boolean_t enable;
+	isc_boolean_t enable, set = ISC_TRUE, first = ISC_TRUE;
 
 	/* Skip the command name. */
 	ptr = next_token(&args, " \t");
@@ -7356,7 +7356,9 @@ ns_server_validation(ns_server_t *server, char *args) {
 	else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
 		 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
 		enable = ISC_FALSE;
-	else
+	else if (!strcasecmp(ptr, "check")) {
+		set = ISC_FALSE;
+	} else
 		return (DNS_R_SYNTAX);
 
 	/* Look for the view name. */
@@ -7373,10 +7375,40 @@ ns_server_validation(ns_server_t *server, char *args) {
 		result = dns_view_flushcache(view);
 		if (result != ISC_R_SUCCESS)
 			goto out;
-		view->enablevalidation = enable;
-		changed = ISC_TRUE;
+
+		if (set) {
+			view->enablevalidation = enable;
+			changed = ISC_TRUE;
+		} else {
+			unsigned int n;
+			if (!first) {
+				n = snprintf((char *)isc_buffer_used(text),
+					     isc_buffer_availablelength(text),
+					     "\n");
+				if (n >= isc_buffer_availablelength(text)) {
+					result = ISC_R_NOSPACE;
+					goto out;
+				}
+				isc_buffer_add(text, n);
+			}
+			first = ISC_FALSE;
+			n = snprintf((char *)isc_buffer_used(text),
+				     isc_buffer_availablelength(text),
+				     "DNSSEC validation is %s (view %s)",
+				     view->enablevalidation ?
+				       "enabled" : "disabled",
+				     view->name);
+			if (n >= isc_buffer_availablelength(text)) {
+				result = ISC_R_NOSPACE;
+				goto out;
+			}
+			isc_buffer_add(text, n);
+		}
 	}
-	if (changed)
+
+	if (!set)
+		result = ISC_R_SUCCESS;
+	else if (changed)
 		result = ISC_R_SUCCESS;
 	else
 		result = ISC_R_FAILURE;
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index bf4d176cd5..909e6cd293 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -1512,14 +1512,16 @@ zone "eng.example.com" {
 
                   <varlistentry>
                     <term><userinput>validation
-                        <optional>on|off</optional>
+                        ( on | off | check )
                         <optional><replaceable>view ...</replaceable></optional>
                     </userinput></term>
                     <listitem>
                       <para>
-                        Enable or disable DNSSEC validation.
+                        Enable, disable, or check the current status of
+                        DNSSEC validation.
                         Note <command>dnssec-enable</command> also needs to be
-                        set to <userinput>yes</userinput> to be effective.
+                        set to <userinput>yes</userinput> or
+                        <userinput>auto</userinput> to be effective.
                         It defaults to enabled.
                       </para>
                     </listitem>