diff --git a/proxy/cache.go b/proxy/cache.go
index f160b78ba..d2305cad3 100644
--- a/proxy/cache.go
+++ b/proxy/cache.go
@@ -336,8 +336,7 @@ func cacheTTL(m *dns.Msg) (ttl uint32) {
 
 	switch rcode := m.Rcode; rcode {
 	case dns.RcodeSuccess:
-		qType := m.Question[0].Qtype
-		if (qType != dns.TypeA && qType != dns.TypeAAAA) || hasIPAns(m) || isCacheableNegative(m) {
+		if isCacheableSuccceded(m) {
 			return ttl
 		}
 	case dns.RcodeNameError:
@@ -369,6 +368,14 @@ func hasIPAns(m *dns.Msg) (ok bool) {
 	return false
 }
 
+// isCacheableSuccceded returns true if m contains useful data to be cached
+// treating it as a succeesful response.
+func isCacheableSuccceded(m *dns.Msg) (ok bool) {
+	qType := m.Question[0].Qtype
+
+	return (qType != dns.TypeA && qType != dns.TypeAAAA) || hasIPAns(m) || isCacheableNegative(m)
+}
+
 // isCacheableNegative returns true if m's header has at least a single SOA RR
 // and no NS records so that it can be declared authoritative.
 //
diff --git a/proxy/proxy.go b/proxy/proxy.go
index 6cfdfe804..ae47170c4 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -453,6 +453,10 @@ func (p *Proxy) Resolve(d *DNSContext) (err error) {
 	d.calcFlagsAndSize()
 
 	// Use cache only if it's enabled and the query doesn't use custom upstream.
+	// Also don't cache responses for queries with DNSSEC checking disabled,
+	// just like Dnsmasq does.
+	//
+	// See https://github.com/imp/dnsmasq/blob/770bce967cfc9967273d0acfb3ea018fb7b17522/src/forward.c#L1169-L1172.
 	cacheWorks := p.cache != nil && d.CustomUpstreamConfig == nil && !d.Req.CheckingDisabled
 	if cacheWorks {
 		if p.replyFromCache(d) {