diff --git a/doc/Changelog b/doc/Changelog
index 6cb5f73fd..47589688e 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+12 September 2011: Wouter
+	- Reverted dns EDNS backoff fix, it did not help and needs
+	  fragmentation fixes instead.
+
 7 September 2011: Wouter
 	- Fix operation in ipv6 only (do-ip4: no) mode.
 
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 7a7ab5722..ff709186f 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -539,7 +539,7 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
 
 int 
 iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
-        struct dns_msg* msg, uint16_t dclass, struct module_qstate* qstate)
+        struct dns_msg* msg, uint16_t dclass)
 {
 	struct trust_anchor* a;
 	/* information not available, !env->anchors can be common */
@@ -573,15 +573,6 @@ iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
 			regional_free_all(env->scratch);
 		}
 	}
-	/* on retries, we have to expect DNSSEC.
-	 * just a blacklist of the cache is done for parentside lookups too,
-	 * but blacklist of IPs is done for validation failures. */
-	if(qstate && qstate->blacklist) {
-		struct sock_list* p;
-		for(p=qstate->blacklist; p; p=p->next)
-			if(p->len != 0)
-				return 1;
-	}
 	return 0;
 }
 
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index c7beeacc6..deddac666 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -172,12 +172,10 @@ int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
  * @param dp: delegation point.
  * @param msg: delegation message, with DS if a secure referral.
  * @param dclass: class of query.
- * @param qstate: module query state for the query in question, for validation
- * 	retry state.
  * @return 1 if dnssec is expected, 0 if not.
  */
 int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp,
-	struct dns_msg* msg, uint16_t dclass, struct module_qstate* qstate);
+	struct dns_msg* msg, uint16_t dclass);
 
 /**
  * See if a message contains DNSSEC.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 915e3fd1c..71682b234 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -574,8 +574,8 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq,
 		}
 		/* there should not be any target queries. */
 		subiq->num_target_queries = 0; 
-		subiq->dnssec_expected = iter_indicates_dnssec(qstate->env,
-			subiq->dp, NULL, subq->qinfo.qclass, subq);
+		subiq->dnssec_expected = iter_indicates_dnssec(
+			qstate->env, subiq->dp, NULL, subq->qinfo.qclass);
 	}
 	
 	/* this module stops, our submodule starts, and does the query. */
@@ -669,8 +669,8 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * missing targets. */
 		subiq->num_target_queries = 0; 
 		subiq->wait_priming_stub = 1;
-		subiq->dnssec_expected = iter_indicates_dnssec(qstate->env,
-			subiq->dp, NULL, subq->qinfo.qclass, subq);
+		subiq->dnssec_expected = iter_indicates_dnssec(
+			qstate->env, subiq->dp, NULL, subq->qinfo.qclass);
 	}
 	
 	/* this module stops, our submodule starts, and does the query. */
@@ -1191,7 +1191,7 @@ processInitRequest3(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* if the cache reply dp equals a validation anchor or msg has DS,
 	 * then DNSSEC RRSIGs are expected in the reply */
 	iq->dnssec_expected = iter_indicates_dnssec(qstate->env, iq->dp, 
-		iq->deleg_msg, iq->qchase.qclass, qstate);
+		iq->deleg_msg, iq->qchase.qclass);
 
 	/* If the RD flag wasn't set, then we just finish with the 
 	 * cached referral as the response. */
@@ -1254,7 +1254,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
 			subiq->dp = delegpt_copy(iq->dp, subq->region);
 			subiq->dnssec_expected = iter_indicates_dnssec(
 				qstate->env, subiq->dp, NULL, 
-				subq->qinfo.qclass, subq);
+				subq->qinfo.qclass);
 			subiq->refetch_glue = 1;
 		} else {
 			subiq->dp = dns_cache_find_delegation(qstate->env, 
@@ -1264,7 +1264,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
 			if(subiq->dp) { 
 				subiq->dnssec_expected = iter_indicates_dnssec(
 					qstate->env, subiq->dp, NULL, 
-					subq->qinfo.qclass, subq);
+					subq->qinfo.qclass);
 				subiq->refetch_glue = 1;
 			}
 		}
@@ -1899,7 +1899,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* see if the next dp is a trust anchor, or a DS was sent
 		 * along, indicating dnssec is expected for next zone */
 		iq->dnssec_expected = iter_indicates_dnssec(qstate->env, 
-			iq->dp, iq->response, iq->qchase.qclass, qstate);
+			iq->dp, iq->response, iq->qchase.qclass);
 		/* if dnssec, validating then also fetch the key for the DS */
 		if(iq->dnssec_expected && qstate->env->cfg->prefetch_key &&
 			!(qstate->query_flags&BIT_CD))
diff --git a/services/outside_network.c b/services/outside_network.c
index 59482c6ba..5397e8afb 100644
--- a/services/outside_network.c
+++ b/services/outside_network.c
@@ -1318,7 +1318,7 @@ serviced_udp_send(struct serviced_query* sq, ldns_buffer* buff)
 			/* even 700 msec may be too small */
 			rtt = 1000;
 			sq->status = serviced_query_PROBE_EDNS;
-		} else if(vs != -1 || sq->want_dnssec) {
+		} else if(vs != -1) {
 			sq->status = serviced_query_UDP_EDNS;
 		} else { 	
 			sq->status = serviced_query_UDP; 
@@ -1536,7 +1536,7 @@ serviced_tcp_send(struct serviced_query* sq, ldns_buffer* buff)
 	if(!infra_host(sq->outnet->infra, &sq->addr, sq->addrlen, 
 		*sq->outnet->now_secs, &vs, &edns_lame_known, &rtt))
 		return 0;
-	if(vs != -1 || sq->want_dnssec)
+	if(vs != -1)
 		sq->status = serviced_query_TCP_EDNS;
 	else 	sq->status = serviced_query_TCP;
 	serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS);