diff --git a/CHANGES b/CHANGES
index 5106dda01f..1f5e9f5973 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
+
 3120.	[bug]		Named could fail to validate zones listed in a DLV
 			that validated insecure without using DLV and had
 			DS records in the parent zone. [RT #24631]
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 21f8bc058e..c6aea34379 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.52 2011/02/03 12:18:11 tbox Exp $ */
+/* $Id: ncache.c,v 1.53 2011/05/26 23:11:15 each Exp $ */
 
 /*! \file */
 
@@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);