diff --git a/CHANGES b/CHANGES
index dcb1e236ba..2f603f0f6b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
+			rdataset. [RT #12907]
+
 1767.	[placeholder]	rt13077
 
 1766.	[placeholder]	rt13062
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 59d365c194..ef1dc75920 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.123 2004/06/11 01:12:38 marka Exp $ */
+/* $Id: validator.c,v 1.124 2004/11/17 23:52:31 marka Exp $ */
 
 #include <config.h>
 
@@ -497,6 +497,8 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 
 	REQUIRE(exists != NULL);
 	REQUIRE(data != NULL);
+	REQUIRE(nsecset != NULL &&
+		nsecset->type == dns_rdatatype_nsec);
 
 	result = dns_rdataset_first(nsecset);
 	if (result != ISC_R_SUCCESS) {
@@ -661,7 +663,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 		if (rdataset->trust == dns_trust_secure)
 			val->seensig = ISC_TRUE;
 
-		if (val->nsecset != NULL &&
+		if (rdataset->type == dns_rdatatype_nsec &&
 		    rdataset->trust == dns_trust_secure &&
 		    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
 		     (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&