diff --git a/CHANGES b/CHANGES
index 6c7e2f8437..3c90e1f625 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2875.	[bug]		dns_time64_fromtext() could accept non digits.
+			[RT #21033]
+
 2874.	[bug]		Cache lack of EDNS support only after the server
 			successfully responds to the query using plain DNS.
 			[RT #20930]
diff --git a/lib/dns/time.c b/lib/dns/time.c
index c20242a5d2..23d77eb9c4 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.33 2009/01/17 23:47:43 tbox Exp $ */
+/* $Id: time.c,v 1.34 2010/04/21 02:21:31 marka Exp $ */
 
 /*! \file */
 
@@ -24,6 +24,7 @@
 #include <stdio.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <time.h>
+#include <ctype.h>
 
 #include <isc/print.h>
 #include <isc/region.h>
@@ -132,6 +133,14 @@ dns_time64_fromtext(const char *source, isc_int64_t *target) {
 
 	if (strlen(source) != 14U)
 		return (DNS_R_SYNTAX);
+	/*
+	 * Confirm the source only consists digits.  sscanf() allows some
+	 * minor exceptions.
+	 */
+	for (i = 0; i < 14; i++) {
+		if (!isdigit((unsigned char)source[i]))
+			return (DNS_R_SYNTAX);
+	}
 	if (sscanf(source, "%4d%2d%2d%2d%2d%2d",
 		   &year, &month, &day, &hour, &minute, &second) != 6)
 		return (DNS_R_SYNTAX);