diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index a42e5bf263..81ecce2bfc 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -590,7 +590,6 @@ dns_rdatatype_isknown(dns_rdatatype_t type);
  *
  */
 
-
 isc_result_t
 dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
 			 void *arg);
@@ -683,6 +682,16 @@ dns_rdatatype_atparent(dns_rdatatype_t type);
  *
  */
 
+bool
+dns_rdatatype_atcname(dns_rdatatype_t type);
+/*%<
+ * Return true iff rdata of type 'type' can appear beside a cname.
+ *
+ * Requires:
+ * \li	'type' is a valid rdata type.
+ *
+ */
+
 unsigned int
 dns_rdatatype_attributes(dns_rdatatype_t rdtype);
 /*%<
@@ -711,10 +720,12 @@ dns_rdatatype_attributes(dns_rdatatype_t rdtype);
 #define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
 /*% Is META, and can only be in a question section */
 #define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
-/*% is META, and can NOT be in a question section */
+/*% Is META, and can NOT be in a question section */
 #define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
 /*% Is present at zone cuts in the parent, not the child */
 #define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
+/*% Can exist along side a CNAME */
+#define DNS_RDATATYPEATTR_ATCNAME		0x00000400U
 
 dns_rdatatype_t
 dns_rdata_covers(dns_rdata_t *rdata);
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index ea5000fab2..ebd608ae9b 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -2283,6 +2283,14 @@ dns_rdatatype_questiononly(dns_rdatatype_t type) {
 	return (false);
 }
 
+bool
+dns_rdatatype_atcname(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATCNAME) != 0) {
+		return (true);
+	}
+	return (false);
+}
+
 bool
 dns_rdatatype_atparent(dns_rdatatype_t type) {
 	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
@@ -2310,10 +2318,11 @@ dns_rdatatype_isdnssec(dns_rdatatype_t type) {
 
 bool
 dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type)
-	     & (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH))
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ZONECUTAUTH)
 	    != 0)
+	{
 		return (true);
+	}
 	return (false);
 }
 
diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c
index 1927ee46b8..7be66d1f00 100644
--- a/lib/dns/rdata/generic/ds_43.c
+++ b/lib/dns/rdata/generic/ds_43.c
@@ -16,7 +16,8 @@
 #define RDATA_GENERIC_DS_43_C
 
 #define RRTYPE_DS_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT)
+	( DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \
+	  DNS_RDATATYPEATTR_ATPARENT )
 
 #include <isc/md.h>
 
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
index 34c0cea017..44cbdf3a5e 100644
--- a/lib/dns/rdata/generic/key_25.c
+++ b/lib/dns/rdata/generic/key_25.c
@@ -16,7 +16,8 @@
 
 #include <dst/dst.h>
 
-#define RRTYPE_KEY_ATTRIBUTES (0)
+#define RRTYPE_KEY_ATTRIBUTES \
+	( DNS_RDATATYPEATTR_ATCNAME | DNS_RDATATYPEATTR_ZONECUTAUTH )
 
 static inline isc_result_t
 generic_fromtext_key(ARGS_FROMTEXT) {
diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c
index 05e575b62c..0ba688cec0 100644
--- a/lib/dns/rdata/generic/nsec_47.c
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -18,7 +18,9 @@
  * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
  * because we must be able to handle a parent/child NSEC pair.
  */
-#define RRTYPE_NSEC_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+#define RRTYPE_NSEC_ATTRIBUTES \
+	( DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \
+	  DNS_RDATATYPEATTR_ATCNAME )
 
 static inline isc_result_t
 fromtext_nsec(ARGS_FROMTEXT) {
diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c
index fb945ff1ed..8bc8d21f3f 100644
--- a/lib/dns/rdata/generic/rrsig_46.c
+++ b/lib/dns/rdata/generic/rrsig_46.c
@@ -14,7 +14,9 @@
 #ifndef RDATA_GENERIC_RRSIG_46_C
 #define RDATA_GENERIC_RRSIG_46_C
 
-#define RRTYPE_RRSIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+#define RRTYPE_RRSIG_ATTRIBUTES \
+	( DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH | \
+	  DNS_RDATATYPEATTR_ATCNAME )
 
 static inline isc_result_t
 fromtext_rrsig(ARGS_FROMTEXT) {
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 9642fa48cc..72a93d225f 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -826,6 +826,7 @@ dns_rdataslab_fromrdataset
 dns_rdataslab_merge
 dns_rdataslab_size
 dns_rdataslab_subtract
+dns_rdatatype_atcname
 dns_rdatatype_atparent
 dns_rdatatype_attributes
 dns_rdatatype_format
diff --git a/lib/ns/update.c b/lib/ns/update.c
index a387dfd11d..2a3c7d244f 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -798,8 +798,10 @@ static isc_result_t
 cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
 	UNUSED(data);
 	if (rrset->type != dns_rdatatype_cname &&
-	    ! dns_rdatatype_isdnssec(rrset->type))
+	    ! dns_rdatatype_atcname(rrset->type))
+	{
 		return (ISC_R_EXISTS);
+	}
 	return (ISC_R_SUCCESS);
 }
 
@@ -2852,7 +2854,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						   dns_rdatatype_cname, 0,
 						   &flag));
 				if (flag &&
-				    ! dns_rdatatype_isdnssec(rdata.type))
+				    ! dns_rdatatype_atcname(rdata.type))
 				{
 					update_log(client, zone,
 						   LOGLEVEL_PROTOCOL,