diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index da59fc3827d5d66811db968bcb9dc42ac573c397..f2d7f36fcd07821b95c723ded1b39c8920571f64 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -363,10 +363,10 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
 		if (state == KNOT_STATE_FAIL) {
 			return state;
 		}
-		/* Follow chain only within current cut. */
+		/* Follow chain only within current cut (if secure). */
 		if (follow_chain) {
 			follow_cname_chain(&cname, rr, query);
-			if (!knot_dname_in(query->zone_cut.name, cname)) {
+			if (!(query->flags & QUERY_DNSSEC_WANT) || !knot_dname_in(query->zone_cut.name, cname)) {
 				follow_chain = false; 
 			}
 		}
diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c
index 623f6fe244c90f93d0b742b3781f748108f49d4e..dfd2cec419f6361e32669c36a735f6cd33743665 100644
--- a/lib/layer/rrcache.c
+++ b/lib/layer/rrcache.c
@@ -260,8 +260,8 @@ static int stash_answer(struct kr_query *qry, knot_pkt_t *pkt, map_t *stash, mm_
 			continue;
 		}
 		kr_rrmap_add(stash, rr, KR_RANK_AUTH, pool);
-		/* Follow CNAME chain in current cut. */
-		if (rr->type == KNOT_RRTYPE_CNAME) {
+		/* Follow CNAME chain in current cut (if SECURE). */
+		if ((qry->flags & QUERY_DNSSEC_WANT) && rr->type == KNOT_RRTYPE_CNAME) {
 			const knot_dname_t *next_cname = knot_cname_name(&rr->rrs);
 			if (knot_dname_in(qry->zone_cut.name, next_cname)) {
 				cname = next_cname;