diff --git a/doc/Changelog b/doc/Changelog
index ed12bf566..f42e9338d 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+25 April 2013: Wouter
+	- Robust checks on dname validity from rdata for dname compare.
+
 19 April 2013: Wouter
 	- Fixup snprintf return value usage, fixed libunbound_get_option.
 
diff --git a/validator/val_sigcrypt.c b/validator/val_sigcrypt.c
index 79d5e45a2..4642ea6da 100644
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@@ -808,7 +808,12 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)
 		case LDNS_RR_TYPE_MR:
 		case LDNS_RR_TYPE_PTR:
 		case LDNS_RR_TYPE_DNAME:
-			return query_dname_compare(d->rr_data[i]+2, 
+			/* the wireread function has already checked these
+			 * dname's for correctness, and this double checks */
+			if(!dname_valid(d->rr_data[i]+2, d->rr_len[i]-2) ||
+				!dname_valid(d->rr_data[j]+2, d->rr_len[j]-2))
+				return 0;
+			return query_dname_compare(d->rr_data[i]+2,
 				d->rr_data[j]+2);
 
 		/* These RR types have STR and fixed size rdata fields
diff --git a/validator/val_utils.c b/validator/val_utils.c
index d4a64464d..768f2368a 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -773,6 +773,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
 	for(i = d->count; i< d->count+d->rrsig_count; i++) {
 		if(d->rr_len[i] > 2+18+len) {
 			/* at least rdatalen + signature + signame (+1 sig)*/
+			if(!dname_valid(d->rr_data[i]+2+18, d->rr_len[i]-2-18))
+				continue;
 			if(query_dname_compare(name, d->rr_data[i]+2+18) == 0)
 			{
 				return 1;