diff --git a/doc/Changelog b/doc/Changelog
index 58e6e7608..ebd85e350 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+6 July 2012: Wouter
+	- Fix validation of qtype DS queries that result in no data for
+	  non-optout NSEC3 zones.
+
 4 July 2012: Wouter
 	- compile libunbound with libnss on Suse, passes regression tests.
 
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 419bbc51d..2a2cfcf9b 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1171,8 +1171,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 		 * If not type DS: matching nsec3 must not be a delegation.
 		 */
 		if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1 
-			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA &&
-			!dname_is_root(qinfo->qname))) {
+			&& nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA) &&
+			!dname_is_root(qinfo->qname)) {
 			verbose(VERB_ALGO, "proveNodata: apex NSEC3 "
 				"abused for no DS proof, bogus");
 			return sec_status_bogus;