diff --git a/CHANGES b/CHANGES
index e7bf6e31e3..95b4e901d3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4540.	[bug]		Correctly handle ecs entries in dns_acl_isinsecure.
+			[RT #43601]
+
 4539.	[bug]		Referencing a nonexistant zone with rpz could lead
 			to a assertion failure when configuring. [RT #43787]
 
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 17e24149db..0ac1c4221e 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1366,8 +1366,8 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
 			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
 				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "zone '%s' allows updates by IP "
-				      "address, which is insecure",
+				      "zone '%s' allows unsigned updates "
+				      "from remote hosts, which is insecure",
 				      zname);
 
 		RETERR(configure_zone_ssutable(zoptions, mayberaw, zname));
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 12859decbd..2108c6fd68 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -589,19 +589,21 @@ is_insecure(isc_prefix_t *prefix, void **data) {
 		return;
 
 	/*
-	 * If a loopback address found and the other family
-	 * doesn't exist or is negative, return.
+	 * If a loopback address found and the other family and
+	 * ecs entry doesn't exist or is negative, return.
 	 */
 	if (prefix->bitlen == 32 &&
 	    htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK &&
 	    (data[1] == NULL || !* (isc_boolean_t *) data[1]) &&
+	    (data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
 	    (data[3] == NULL || !* (isc_boolean_t *) data[3]))
 		return;
 
 	if (prefix->bitlen == 128 &&
 	    IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6) &&
 	    (data[0] == NULL || !* (isc_boolean_t *) data[0]) &&
-	    (data[2] == NULL || !* (isc_boolean_t *) data[2]))
+	    (data[2] == NULL || !* (isc_boolean_t *) data[2]) &&
+	    (data[3] == NULL || !* (isc_boolean_t *) data[3]))
 		return;
 
 	/* Non-negated, non-loopback */
diff --git a/lib/dns/tests/acl_test.c b/lib/dns/tests/acl_test.c
index 6054a3300f..41b878e333 100644
--- a/lib/dns/tests/acl_test.c
+++ b/lib/dns/tests/acl_test.c
@@ -36,6 +36,17 @@ ATF_TC_HEAD(dns_acl_isinsecure, tc) {
 }
 ATF_TC_BODY(dns_acl_isinsecure, tc) {
 	isc_result_t result;
+	unsigned int pass;
+	struct {
+		isc_boolean_t first;
+		isc_boolean_t second;
+	} ecs[] = {
+		{ ISC_FALSE, ISC_FALSE },
+		{ ISC_TRUE, ISC_TRUE },
+		{ ISC_TRUE, ISC_FALSE },
+		{ ISC_FALSE, ISC_TRUE }
+	};
+
 	dns_acl_t *any = NULL;
 	dns_acl_t *none = NULL;
 	dns_acl_t *notnone = NULL;
@@ -97,192 +108,218 @@ ATF_TC_BODY(dns_acl_isinsecure, tc) {
 	dns_acl_detach(&notany);
 	dns_acl_detach(&notnone);
 
-	result = dns_acl_create(mctx, 1, &pos4pos6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+	for (pass = 0; pass < sizeof(ecs)/sizeof(ecs[0]); pass++) {
+		result = dns_acl_create(mctx, 1, &pos4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notpos4pos6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notpos4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &neg4pos6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &neg4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notneg4pos6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notneg4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &pos4neg6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &pos4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notpos4neg6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notpos4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &neg4neg6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &neg4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notneg4neg6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notneg4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x0a000000);		/* 10.0.0.0 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x0a000000);	/* 10.0.0.0 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
+						ISC_TRUE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	addr.family = AF_INET6;				/* 0a00:: */
-	result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		addr.family = AF_INET6;			/* 0a00:: */
+		result = dns_iptable_addprefix2(pos4pos6->iptable, &addr, 8,
+						ISC_TRUE, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notpos4pos6, pos4pos6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x0a000000);		/* !10.0.0.0/8 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
-					ISC_FALSE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x0a000000);	/* !10.0.0.0/8 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
+						ISC_FALSE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	addr.family = AF_INET6;				/* 0a00::/8 */
-	result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		addr.family = AF_INET6;			/* 0a00::/8 */
+		result = dns_iptable_addprefix2(neg4pos6->iptable, &addr, 8,
+						ISC_TRUE, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notneg4pos6, neg4pos6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x0a000000);		/* 10.0.0.0/8 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x0a000000);	/* 10.0.0.0/8 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
+						ISC_TRUE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	addr.family = AF_INET6;				/* !0a00::/8 */
-	result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
-					ISC_FALSE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		addr.family = AF_INET6;			/* !0a00::/8 */
+		result = dns_iptable_addprefix2(pos4neg6->iptable, &addr, 8,
+						ISC_FALSE, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notpos4neg6, pos4neg6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x0a000000);		/* !10.0.0.0/8 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
-					ISC_FALSE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x0a000000);	/* !10.0.0.0/8 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
+						ISC_FALSE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	addr.family = AF_INET6;				/* !0a00::/8 */
-	result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
-					ISC_FALSE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		addr.family = AF_INET6;			/* !0a00::/8 */
+		result = dns_iptable_addprefix2(neg4neg6->iptable, &addr, 8,
+						ISC_FALSE, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notneg4neg6, neg4neg6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	ATF_CHECK(dns_acl_isinsecure(pos4pos6));
-	ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
-	ATF_CHECK(dns_acl_isinsecure(neg4pos6));
-	ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
-	ATF_CHECK(dns_acl_isinsecure(pos4neg6));
-	ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
-	ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
-	ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
+		ATF_CHECK(dns_acl_isinsecure(pos4pos6));
+		ATF_CHECK(!dns_acl_isinsecure(notpos4pos6));
+		ATF_CHECK(dns_acl_isinsecure(neg4pos6));
+		ATF_CHECK(!dns_acl_isinsecure(notneg4pos6));
+		ATF_CHECK(dns_acl_isinsecure(pos4neg6));
+		ATF_CHECK(!dns_acl_isinsecure(notpos4neg6));
+		ATF_CHECK(!dns_acl_isinsecure(neg4neg6));
+		ATF_CHECK(!dns_acl_isinsecure(notneg4neg6));
 
-	dns_acl_detach(&pos4pos6);
-	dns_acl_detach(&notpos4pos6);
-	dns_acl_detach(&neg4pos6);
-	dns_acl_detach(&notneg4pos6);
-	dns_acl_detach(&pos4neg6);
-	dns_acl_detach(&notpos4neg6);
-	dns_acl_detach(&neg4neg6);
-	dns_acl_detach(&notneg4neg6);
+		dns_acl_detach(&pos4pos6);
+		dns_acl_detach(&notpos4pos6);
+		dns_acl_detach(&neg4pos6);
+		dns_acl_detach(&notneg4pos6);
+		dns_acl_detach(&pos4neg6);
+		dns_acl_detach(&notpos4neg6);
+		dns_acl_detach(&neg4neg6);
+		dns_acl_detach(&notneg4neg6);
 
-	result = dns_acl_create(mctx, 1, &loop4);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &loop4);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notloop4);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notloop4);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &loop6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &loop6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notloop6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notloop6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x7f000001);		/* 127.0.0.1 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x7f000001);	/* 127.0.0.1 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(loop4->iptable, &addr, 32,
+						ISC_TRUE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notloop4, loop4, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	isc_netaddr_fromin6(&addr, &in6addr_loopback);	/* ::1 */
-	result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		isc_netaddr_fromin6(&addr, &in6addr_loopback);	/* ::1 */
+		result = dns_iptable_addprefix2(loop6->iptable, &addr, 128,
+						ISC_TRUE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notloop6, loop6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	ATF_CHECK(!dns_acl_isinsecure(loop4));
-	ATF_CHECK(!dns_acl_isinsecure(notloop4));
-	ATF_CHECK(!dns_acl_isinsecure(loop6));
-	ATF_CHECK(!dns_acl_isinsecure(notloop6));
+		if (!ecs[pass].first) {
+			ATF_CHECK(!dns_acl_isinsecure(loop4));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4));
+			ATF_CHECK(!dns_acl_isinsecure(loop6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop6));
+		} else if (ecs[pass].first) {
+			ATF_CHECK(dns_acl_isinsecure(loop4));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4));
+			ATF_CHECK(dns_acl_isinsecure(loop6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop6));
+		}
 
-	dns_acl_detach(&loop4);
-	dns_acl_detach(&notloop4);
-	dns_acl_detach(&loop6);
-	dns_acl_detach(&notloop6);
+		dns_acl_detach(&loop4);
+		dns_acl_detach(&notloop4);
+		dns_acl_detach(&loop6);
+		dns_acl_detach(&notloop6);
 
-	result = dns_acl_create(mctx, 1, &loop4pos6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &loop4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notloop4pos6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notloop4pos6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &loop4neg6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &loop4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_create(mctx, 1, &notloop4neg6);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_create(mctx, 1, &notloop4neg6);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x7f000001);		/* 127.0.0.1 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x7f000001);	/* 127.0.0.1 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
+						ISC_TRUE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	addr.family = AF_INET6;				/* f700:0001::/32 */
-	result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		addr.family = AF_INET6;			/* f700:0001::/32 */
+		result = dns_iptable_addprefix2(loop4pos6->iptable, &addr, 32,
+						ISC_TRUE, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notloop4pos6, loop4pos6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	inaddr.s_addr = htonl(0x7f000001);		/* 127.0.0.1 */
-	isc_netaddr_fromin(&addr, &inaddr);
-	result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
-					ISC_TRUE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		inaddr.s_addr = htonl(0x7f000001);	/* 127.0.0.1 */
+		isc_netaddr_fromin(&addr, &inaddr);
+		result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
+						ISC_TRUE, ecs[pass].first);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	addr.family = AF_INET6;				/* !f700:0001::/32 */
-	result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
-					ISC_FALSE, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		addr.family = AF_INET6;			/* !f700:0001::/32 */
+		result = dns_iptable_addprefix2(loop4neg6->iptable, &addr, 32,
+						ISC_FALSE, ecs[pass].second);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
-	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+		result = dns_acl_merge(notloop4neg6, loop4neg6, ISC_FALSE);
+		ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
 
-	ATF_CHECK(dns_acl_isinsecure(loop4pos6));
-	ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
-	ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
-	ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		if (!ecs[pass].first && !ecs[pass].second) {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		} else if (ecs[pass].first && !ecs[pass].second) {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		} else if (!ecs[pass].first && ecs[pass].second) {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		} else {
+			ATF_CHECK(dns_acl_isinsecure(loop4pos6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4pos6));
+			ATF_CHECK(dns_acl_isinsecure(loop4neg6));
+			ATF_CHECK(!dns_acl_isinsecure(notloop4neg6));
+		}
 
-	dns_acl_detach(&loop4pos6);
-	dns_acl_detach(&notloop4pos6);
-	dns_acl_detach(&loop4neg6);
-	dns_acl_detach(&notloop4neg6);
+		dns_acl_detach(&loop4pos6);
+		dns_acl_detach(&notloop4pos6);
+		dns_acl_detach(&loop4neg6);
+		dns_acl_detach(&notloop4neg6);
+	}
 
 	dns_test_end();
 }