diff --git a/doc/Changelog b/doc/Changelog
index 7a23907b6..b4fcfd535 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -4,6 +4,7 @@
 	- check cache security status and either send the query to be
 	  validated, return the query to client, or send servfail to client.
 	  Sets AD bit on validated replies.
+	- do not examine security status on an error reply in mesh_done.
 
 20 August 2007: Wouter
 	- validate and positive validation, positive wildcard NSEC validation.
diff --git a/services/mesh.c b/services/mesh.c
index 2adc732c1..e1f800b2c 100644
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -427,11 +427,11 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	struct timeval end_time;
 	int secure;
 	/* examine security status */
-	if(m->s.env->need_to_validate && !(r->qflags&BIT_CD) &&
+	if(m->s.env->need_to_validate && !(r->qflags&BIT_CD) && rep && 
 		rep->security <= sec_status_bogus) {
 		rcode = LDNS_RCODE_SERVFAIL;
 	}
-	if(rep->security == sec_status_secure)
+	if(rep && rep->security == sec_status_secure)
 		secure = 1;
 	else	secure = 0;
 	/* send the reply */