diff --git a/NEWS b/NEWS
index 03bd455aaf423904d6e27deeea15f058bc7f5b77..177cc9a6d250cc9e4fee03e070ec313b30e3ee20 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
 Knot Resolver 1.3.2 (2017-07-xx)
 ================================
 
+Security
+--------
+- fix possible opportunities to use insecure data from cache as keys
+  for validation
+
 Bugfixes
 --------
 - daemon: check existence of config file even if rundir isn't specified
diff --git a/lib/zonecut.c b/lib/zonecut.c
index a61a9054bb39fb042ccff48d00a9ec48852aa2a4..8a108c1902c6aca1320027d0e101586067e7b1ef 100644
--- a/lib/zonecut.c
+++ b/lib/zonecut.c
@@ -354,6 +354,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
 	if (ret != 0) {
 		return ret;
 	}
+	/* Note: we accept *any* rank from the cache.  We assume that nothing
+	 * completely untrustworthy could get into the cache, e.g out-of-bailiwick
+	 * records that weren't validated.
+	 */
 
 	/* Materialize as we'll going to do more cache lookups. */
 	knot_rrset_t rr_copy;
@@ -384,10 +388,10 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
 }
 
 /**
- * Fetch RRSet of given type.  (and of reasonable trustworthiness)
+ * Fetch secure RRSet of given type.
  */
-static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache,
-                       const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp)
+static int fetch_secure_rrset(knot_rrset_t **rr, struct kr_cache *cache,
+	const knot_dname_t *owner, uint16_t type, knot_mm_t *pool, uint32_t timestamp)
 {
 	if (!rr) {
 		return kr_error(ENOENT);
@@ -401,8 +405,7 @@ static int fetch_rrset(knot_rrset_t **rr, struct kr_cache *cache,
 	if (ret != 0) {
 		return ret;
 	}
-	const bool rankOK = kr_rank_test(rank, KR_RANK_SECURE)
-		|| (kr_rank_test(rank, KR_RANK_INSECURE) && kr_rank_test(rank, KR_RANK_AUTH));
+	const bool rankOK = kr_rank_test(rank, KR_RANK_SECURE);
 	if (!rankOK) {
 		return kr_error(ENOENT);
 	}
@@ -448,9 +451,9 @@ int kr_zonecut_find_cached(struct kr_context *ctx, struct kr_zonecut *cut, const
 			}
 			/* Fetch DS and DNSKEY if caller wants secure zone cut */
 			if (*secured || is_root) {
-				fetch_rrset(&cut->trust_anchor, &ctx->cache, label,
+				fetch_secure_rrset(&cut->trust_anchor, &ctx->cache, label,
 					    KNOT_RRTYPE_DS, cut->pool, timestamp);
-				fetch_rrset(&cut->key, &ctx->cache, label,
+				fetch_secure_rrset(&cut->key, &ctx->cache, label,
 					    KNOT_RRTYPE_DNSKEY, cut->pool, timestamp);
 			}
 			update_cut_name(cut, label);