diff --git a/CHANGES b/CHANGES
index 3c90e1f625..a9f5ef9e7f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2876.	[bug]		Named could return SERVFAIL for negative responses
+			from unsigned zones. [RT #21131]
+
 2875.	[bug]		dns_time64_fromtext() could accept non digits.
 			[RT #21033]
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 8227c77010..094bb8ae12 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.188 2010/03/26 17:12:48 marka Exp $ */
+/* $Id: validator.c,v 1.189 2010/04/21 04:16:49 marka Exp $ */
 
 #include <config.h>
 
@@ -2990,7 +2990,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 		return (ISC_R_SUCCESS);
 	}
 
-	if (val->authcount == val->authfail)
+	if (val->authfail != 0 && val->authcount == val->authfail)
 		return (DNS_R_BROKENCHAIN);
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");