diff --git a/CHANGES b/CHANGES
index baf0b4ad89..c390df909a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+	--- 9.3.6-P1 released ---
+
+2522.	[security]	Handle -1 from DSA_do_verify().
+
 2498.	[bug]		Removed a bogus function argument used with
 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
 			warning or crash named with the debug 1 level
diff --git a/lib/dns/api b/lib/dns/api
index eaa7c6def4..6bbd1729bc 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
 LIBINTERFACE = 26
-LIBREVISION = 1
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index df731e45a4..fbfcfbad35 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.4.7 2007/08/28 07:19:13 tbox Exp $ */
+/* $Id: openssldsa_link.c,v 1.1.4.8 2008/12/24 00:21:45 marka Exp $ */
 
 #ifdef OPENSSL
 
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
 	DSA_SIG_free(dsasig);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index c33913ce3d..765d9ed2a5 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.4.9 2006/11/07 21:28:40 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.1.4.10 2008/12/24 00:21:45 marka Exp $
  */
 #ifdef OPENSSL
 
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);
diff --git a/version b/version
index b0e3529350..f89ed03fd6 100644
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.26.2.17.2.34 2008/11/12 04:04:56 marka Exp $
+# $Id: version,v 1.26.2.17.2.35 2008/12/24 00:21:45 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=3
 PATCHVER=6
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1