diff --git a/CHANGES b/CHANGES
index d1d2eb9a2a..bd03ca6a8f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1246.	[bug]		DNAME/CNAME signatures were not being cached when
+			validation was not being performed. [RT #3284]
+
 1343.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>.
 
 1340.	[doc]		query-source-v6 was missing from options section.
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 88aaac024e..ec77908e9c 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.11 2002/07/10 06:42:59 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.12 2002/07/15 02:28:07 marka Exp $ */
 
 #include <config.h>
 
@@ -3657,7 +3657,7 @@ answer_response(fetchctx_t *fctx) {
 	dns_name_t *name, *qname, tname;
 	dns_rdataset_t *rdataset;
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
-	isc_boolean_t have_answer, found_cname, found_type;
+	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
 	unsigned int aflag;
 	dns_rdatatype_t type;
 	dns_fixedname_t dname, fqname;
@@ -3689,6 +3689,7 @@ answer_response(fetchctx_t *fctx) {
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		if (dns_name_equal(name, qname)) {
+			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
@@ -3809,7 +3810,7 @@ answer_response(fetchctx_t *fctx) {
 					 * CNAME chaining.
 					 */
 					if (want_chaining) {
-						chaining = ISC_TRUE;
+						wanted_chaining = ISC_TRUE;
 						name->attributes |=
 							DNS_NAMEATTR_CHAINING;
 						rdataset->attributes |=
@@ -3821,12 +3822,27 @@ answer_response(fetchctx_t *fctx) {
 				 * We could add an "else" clause here and
 				 * log that we're ignoring this rdataset.
 				 */
+				
+				/*
+				 * If wanted_chaining is true, we've done
+				 * some chaining as the result of processing
+				 * this node, and thus we need to set
+				 * chaining to true.
+				 *
+				 * We don't set chaining inside of the
+				 * rdataset loop because doing that would
+				 * cause us to ignore the signatures of
+				 * CNAMEs.
+				 */
+				if (wanted_chaining)
+					chaining = ISC_TRUE;
 			}
 		} else {
 			/*
 			 * Look for a DNAME (or its SIG).  Anything else is
 			 * ignored.
 			 */
+			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
 			     rdataset != NULL;
 			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
@@ -3922,7 +3938,7 @@ answer_response(fetchctx_t *fctx) {
 						  NULL);
 						if (result != ISC_R_SUCCESS)
 							return (result);
-						chaining = ISC_TRUE;
+						wanted_chaining = ISC_TRUE;
 						name->attributes |=
 							DNS_NAMEATTR_CHAINING;
 						rdataset->attributes |=
@@ -3932,6 +3948,8 @@ answer_response(fetchctx_t *fctx) {
 					}
 				}
 			}
+			if (wanted_chaining)
+				chaining = ISC_TRUE;
 		}
 		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
 	}