diff --git a/CHANGES b/CHANGES
index bd03ca6a8f..d7b750ef27 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+1247.	[bug]		The validator would incorrectly mark data as insecure
+			when seeing a bogus signature before a correct
+			signature.
+
 1246.	[bug]		DNAME/CNAME signatures were not being cached when
 			validation was not being performed. [RT #3284]
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 8b33acb6db..4f296cb97e 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.91.2.2 2002/07/02 04:02:23 marka Exp $ */
+/* $Id: validator.c,v 1.91.2.3 2002/07/15 03:02:56 marka Exp $ */
 
 #include <config.h>
 
@@ -1098,11 +1098,12 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "marking as secure");
 			return (result);
-		}
-		else
+		} else {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "verify failure: %s",
 				      isc_result_totext(result));
+			resume = ISC_FALSE;
+		}
 	}
 	if (result != ISC_R_NOMORE) {
 		validator_log(val, ISC_LOG_DEBUG(3),