diff --git a/doc/Changelog b/doc/Changelog
index 99e31d8f3..64033a698 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- Fix interface-automatic for OpenBSD: msg.controllen was too small,
 	  also assertions on ancillary data buffer.
 	- check for IP_SENDSRCADDR for interface-automatic or IP_PKTINFO.
+	- for NSEC3 check if signatures are cached.
 
 15 March 2010: Wouter
 	- unit test for util/regional.c.
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index c48e91351..004c8f7a2 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -48,6 +48,7 @@
 #include "validator/val_nsec3.h"
 #include "validator/validator.h"
 #include "validator/val_kentry.h"
+#include "services/cache/rrset.h"
 #include "util/regional.h"
 #include "util/rbtree.h"
 #include "util/module.h"
@@ -1254,8 +1255,15 @@ list_is_secure(struct module_env* env, struct val_env* ve,
 	size_t i;
 	enum sec_status sec;
 	for(i=0; i<num; i++) {
+		struct packed_rrset_data* d = (struct packed_rrset_data*)
+			list[i]->entry.data;
 		if(list[i]->rk.type != htons(LDNS_RR_TYPE_NSEC3))
 			continue;
+		if(d->security == sec_status_secure)
+			continue;
+		rrset_check_sec_status(env->rrset_cache, list[i], *env->now);
+		if(d->security == sec_status_secure)
+			continue;
 		sec = val_verify_rrset_entry(env, ve, list[i], kkey, reason);
 		if(sec != sec_status_secure) {
 			verbose(VERB_ALGO, "NSEC3 did not verify");