diff --git a/NEWS b/NEWS
index 6a235cc11f068165515eaa17cd11322f31d500de..9fac9ab4bcca5ea79f239919d6c885ac92c1c773 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ Bugfixes:
 	* Transfers randomly cancelled
 	* Disabling RRL on reload
 	* Secondary groups not initialized when dropping privileges
+	* Responding to DS queries for names at or below delegation points
 
 v1.3.0-rc5 - Jul 29, 2013
 -------------------------
diff --git a/src/libknot/nameserver/name-server.c b/src/libknot/nameserver/name-server.c
index 03b7c2510dcfa0ae79b9940d14742dfe0fd94bfd..10e2eeab0ab9942bae480bb34c131897a2330c05 100644
--- a/src/libknot/nameserver/name-server.c
+++ b/src/libknot/nameserver/name-server.c
@@ -1257,6 +1257,8 @@ static int ns_put_nsec_nsec3_nodata(const knot_zone_contents_t *zone,
 			dbg_ns_detail("Putting the RRSet to Authority\n");
 			ret = knot_response_add_rrset_authority(resp, rrset, 1,
 			                                        0, 1);
+		} else {
+			return KNOT_ENONODE;
 		}
 	} else {
 		dbg_ns_verb("Adding NSEC for NODATA\n");
@@ -1739,10 +1741,12 @@ static inline int ns_referral(const knot_node_t *node,
 		node = knot_node_parent(node);
 	}
 
+	int at_deleg = !knot_dname_compare(qname, knot_node_owner(node));
+
 	int ret = KNOT_EOK;
 
 	// Special handling of DS queries
-	if (qtype == KNOT_RRTYPE_DS) {
+	if (qtype == KNOT_RRTYPE_DS && at_deleg) {
 		knot_rrset_t *ds_rrset = knot_node_get_rrset(node,
 		                                             KNOT_RRTYPE_DS);
 
@@ -1762,7 +1766,15 @@ static inline int ns_referral(const knot_node_t *node,
 
 			dbg_ns_verb("Adding NSEC/NSEC3 for NODATA.\n");
 			ret = ns_put_nsec_nsec3_nodata(zone, node, resp);
-			if (ret != KNOT_EOK) {
+
+			if (ret == KNOT_ENONODE) {
+				// No NSEC3 node => Opt-out
+				const knot_node_t *closest_encloser = node;
+				ret = ns_put_nsec3_closest_encloser_proof(zone,
+				                              &closest_encloser,
+				                              qname, resp);
+
+			} else if (ret != KNOT_EOK) {
 				return ret;
 			}