diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index b175ef4a9c..4dc4edbd71 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -3068,7 +3068,7 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
 			validator_log(val, ISC_LOG_WARNING,
 				      "can't validate existing "
 				      "negative responses (no DS)");
-			*resp = DNS_R_MUSTBESECURE;
+			*resp = DNS_R_NOVALIDSIG;
 			return ISC_R_COMPLETE;
 		}
 
@@ -3167,8 +3167,6 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) {
  * Returns:
  * \li	ISC_R_SUCCESS		val->name is in an unsecure zone
  * \li	DNS_R_WAIT		validation is in progress.
- * \li	DNS_R_MUSTBESECURE	val->name is supposed to be secure
- *				(policy) but we proved that it is unsecure.
  * \li	DNS_R_NOVALIDSIG
  * \li	DNS_R_NOVALIDNSEC
  * \li	DNS_R_NOTINSECURE
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index e0c186ff8f..ba5bd8f731 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -21666,7 +21666,7 @@ nsfetch_done(void *arg) {
 	if (!dns_rdataset_isassociated(nssigset)) {
 		dnssec_log(zone, ISC_LOG_WARNING, "No NS RRSIGs found for '%s'",
 			   pnamebuf);
-		result = DNS_R_MUSTBESECURE;
+		result = DNS_R_NOVALIDSIG;
 		goto done;
 	}
 
@@ -21675,7 +21675,7 @@ nsfetch_done(void *arg) {
 		dnssec_log(zone, ISC_LOG_WARNING,
 			   "Invalid NS RRset for '%s' trust level %u", pnamebuf,
 			   nsrrset->trust);
-		result = DNS_R_MUSTBESECURE;
+		result = DNS_R_NOVALIDSIG;
 		goto done;
 	}
 
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index d359924177..6db606ee78 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -195,7 +195,6 @@ typedef enum isc_result {
 	DNS_R_BADNAME,
 	DNS_R_DYNAMIC,
 	DNS_R_UNKNOWNCOMMAND,
-	DNS_R_MUSTBESECURE,
 	DNS_R_COVERINGNSEC,
 	DNS_R_MXISADDRESS,
 	DNS_R_DUPLICATE,
diff --git a/lib/isc/result.c b/lib/isc/result.c
index f54e71e8a5..7ce2fb5f4f 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -194,7 +194,6 @@ static const char *description[ISC_R_NRESULTS] = {
 	[DNS_R_BADNAME] = "bad name (check-names)",
 	[DNS_R_DYNAMIC] = "dynamic zone",
 	[DNS_R_UNKNOWNCOMMAND] = "unknown command",
-	[DNS_R_MUSTBESECURE] = "must-be-secure",
 	[DNS_R_COVERINGNSEC] = "covering NSEC record returned",
 	[DNS_R_MXISADDRESS] = "MX is an address",
 	[DNS_R_DUPLICATE] = "duplicate query",
@@ -449,7 +448,6 @@ static const char *identifier[ISC_R_NRESULTS] = {
 	[DNS_R_BADNAME] = "DNS_R_BADNAME",
 	[DNS_R_DYNAMIC] = "DNS_R_DYNAMIC",
 	[DNS_R_UNKNOWNCOMMAND] = "DNS_R_UNKNOWNCOMMAND",
-	[DNS_R_MUSTBESECURE] = "DNS_R_MUSTBESECURE",
 	[DNS_R_COVERINGNSEC] = "DNS_R_COVERINGNSEC",
 	[DNS_R_MXISADDRESS] = "DNS_R_MXISADDRESS",
 	[DNS_R_DUPLICATE] = "DNS_R_DUPLICATE",