diff --git a/doc/Changelog b/doc/Changelog
index ccc38affb..f743e3f05 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+3 April 2009: Wouter
+	- Fixed a bug that caused messages to be stored in the cache too 
+	  long.  Hard to trigger, but NXDOMAINs for nameservers or CNAME
+	  targets have been more vulnerable to the TTL miscalculation bug. 
+
 2 April 2009: Wouter
 	- pyunbound (libunbound python plugin) compiles using libtool.
 	- documentation for pythonmod and pyunbound is generated in doc/html.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 975577002..8b58ea1e0 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -858,6 +858,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(verbosity >= VERB_ALGO)
 			log_dns_msg("msg from cache lookup", &msg->qinfo, 
 				msg->rep);
+		verbose(VERB_ALGO, "msg ttl is %d", (int)msg->rep->ttl);
 
 		if(type == RESPONSE_TYPE_CNAME) {
 			uint8_t* sname = 0;
diff --git a/services/cache/dns.c b/services/cache/dns.c
index 2e7ba642e..4f4055268 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -426,7 +426,7 @@ tomsg(struct module_env* env, struct msgreply_entry* e, struct reply_info* r,
 		return NULL;
 	msg->rep->flags = r->flags;
 	msg->rep->qdcount = r->qdcount;
-	msg->rep->ttl = r->ttl;
+	msg->rep->ttl = r->ttl - now;
 	msg->rep->security = r->security;
 	msg->rep->an_numrrsets = r->an_numrrsets;
 	msg->rep->ns_numrrsets = r->ns_numrrsets;
diff --git a/testdata/ttl_msg.rpl b/testdata/ttl_msg.rpl
new file mode 100644
index 000000000..11c37123c
--- /dev/null
+++ b/testdata/ttl_msg.rpl
@@ -0,0 +1,491 @@
+; config options
+; fetch all extra targets - we want to trigger a lookup in cache
+server:
+	target-fetch-policy: "-1 -1 -1 -1 -1"
+	access-control: 127.0.0.1 allow_snoop
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test TTL countdown on messages in the cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.gtld-servers.net.	IN A
+SECTION ANSWER
+a.gtld-servers.net.	IN A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET.	IN	A
+SECTION ANSWER
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.gtld-servers.net.	IN AAAA
+SECTION AUTHORITY
+. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET.	IN	AAAA
+SECTION AUTHORITY
+. 86400 IN SOA . . 20070304 28800 7200 604800 86400
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.com. IN A
+SECTION AUTHORITY
+foo.com.	IN NS	ns.foo.com.
+;foo.com.	IN NS	nx1.example.com.
+SECTION ADDITIONAL
+ns.foo.com.		IN 	A	1.2.5.6
+ENTRY_END
+RANGE_END
+
+; ns.foo.com
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.5.6
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo.com. IN NS
+SECTION ANSWER
+foo.com.	IN NS	ns.foo.com.
+;foo.com.	IN NS	nx1.example.com.
+SECTION ADDITIONAL
+ns.foo.com.		IN 	A	1.2.5.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+;www.foo.com.		IN 	A	1.2.5.6
+www.foo.com.	IN CNAME  nx1.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.foo.com. IN A
+SECTION ANSWER
+ns.foo.com.		IN 	A	1.2.5.6
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.foo.com. IN AAAA
+SECTION AUTHORITY
+foo.com.  IN SOA . . 1 2 3 4 3600
+ENTRY_END
+RANGE_END
+
+; ns.example.com. --- serial=15
+RANGE_BEGIN 0 20
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com.		IN 	A	1.2.3.4
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 15 28800 7200 604800 10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 15 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+nx2.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 15 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+RANGE_END
+
+; ns.example.com. --- serial=17
+RANGE_BEGIN 20 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com.		IN 	A	1.2.3.4
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+nx2.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+RANGE_END
+
+; start by passing time ; so we are not at 0
+STEP 1 TIME_PASSES ELAPSE 10
+
+; query for NXDOMAIN
+STEP 8 QUERY
+ENTRY_BEGIN
+REPLY RD CD
+SECTION QUESTION
+nx1.example.com. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN CD
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 15 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+; wait for 5 seconds
+STEP 20 TIME_PASSES ELAPSE 5
+
+; do a lookup for nx1.example.com just to check TTLs...
+STEP 25 QUERY
+ENTRY_BEGIN
+REPLY RD CD
+SECTION QUESTION
+nx1.example.com. IN A
+ENTRY_END
+STEP 26 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN CD
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 5 IN SOA . . 15 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+; cause a lookup that refreshes the TTL on the SOA record
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nx2.example.com. IN A
+ENTRY_END
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+nx2.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+; do a lookup for nx1.example.com to check TTLs updated
+STEP 35 QUERY
+ENTRY_BEGIN
+REPLY RD CD
+SECTION QUESTION
+nx1.example.com. IN A
+ENTRY_END
+STEP 36 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN CD
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+; cause a lookup for nx1.example.com bypassing the cache.
+; with bug; this causes msg ttl for nx1 to be time(NOW)+ttl.
+; so 15+5 = 20
+; visiable in debug log as "msg ttl is %d"
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.foo.com. IN A
+ENTRY_END
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+;www.foo.com IN A 1.2.5.6
+www.foo.com IN CNAME nx1.example.com.
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+ENTRY_END
+
+; now cause lookup from cache by not passing CD flag
+; (validator has a look, and stores after iterator cache lookup).
+STEP 45 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nx1.example.com. IN A
+ENTRY_END
+STEP 46 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 10 IN SOA . . 17 28800 7200 604800 10
+SECTION ADDITIONAL
+ENTRY_END
+
+; the message should timeout in 5 seconds, wait 7
+STEP 50 TIME_PASSES ELAPSE 7
+
+; it is still there? (nonRD query)
+STEP 55 QUERY
+ENTRY_BEGIN
+REPLY 
+SECTION QUESTION
+nx1.example.com. IN A
+ENTRY_END
+
+; this answer is the bug - NXDOMAIN too long in the cache.
+;STEP 56 CHECK_ANSWER
+;ENTRY_BEGIN
+;MATCH all ttl
+;REPLY QR RA NXDOMAIN
+;SECTION QUESTION
+;nx1.example.com. IN A
+;SECTION ANSWER
+;SECTION AUTHORITY
+;example.com. 3 IN SOA . . 17 28800 7200 604800 10
+;SECTION ADDITIONAL
+;ENTRY_END
+
+; Now the correct answer: no such cached query.
+STEP 56 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA NOERROR
+SECTION QUESTION
+nx1.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END