diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index f78bf0702b2353f265eb1b1b9dd44bcdce41996d..a162a91a03379d31199ab0d6da9f51457e7f9f02 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -3071,16 +3071,6 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {
 
         name = dns_resource_key_name(dns_transaction_key(t));
 
-        if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_DS, DNS_TYPE_CNAME, DNS_TYPE_DNAME)) {
-                /* We got a negative reply for this DS/CNAME/DNAME lookup? Check the parent in this case to
-                 * see if this answer should have been signed. */
-                r = dns_name_parent(&name);
-                if (r < 0)
-                        return r;
-                if (r == 0)
-                        return true;
-        }
-
         /* For all other RRs we check the DS on the same level to see
          * if it's signed. */
 
diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index 4a7b75971701555f638736545b211e5fe937a632..576c04f87ac09059e243d19f0da480f5149d978a 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -496,6 +496,8 @@ testcase_08_resolved() {
     grep -qF "15 mail.unsigned.test." "$RUN_OUT"
     run resolvectl query --legend=no -t MX unsigned.test
     grep -qF "unsigned.test IN MX 15 mail.unsigned.test" "$RUN_OUT"
+    run dig @ns1.unsigned.test +noall +comments unsigned.test CNAME
+    grep -qF "status: NOERROR" "$RUN_OUT"
 
     : "--- ZONE: signed.test (static DNSSEC) ---"
     # Check the trust chain (with and without systemd-resolved in between