diff --git a/changes/annotations_fix b/changes/annotations_fix
new file mode 100644
index 0000000000..d3cd7f343e
--- /dev/null
+++ b/changes/annotations_fix
@@ -0,0 +1,8 @@
+  o Major bugfixes
+    - Do even more to reject (and not just ignore) annotations on
+      router descriptors received anywhere but from the cache.
+      Previously we would ignore such annotations at first, but cache
+      them to disk anyway.  Bugfix on 0.2.0.8-alpha. Found by piebeer.
+
+
+
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index aa1aba423c..da08e46644 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1177,10 +1177,16 @@ router_parse_entry_from_string(const char *s, const char *end,
     s = cp+1;
   }
 
-  if (allow_annotations && start_of_annotations != s) {
-    if (tokenize_string(area,start_of_annotations,s,tokens,
-                        routerdesc_token_table,TS_NOCHECK)) {
-      log_warn(LD_DIR, "Error tokenizing router descriptor (annotations).");
+  if (start_of_annotations != s) { /* We have annotations */
+    if (allow_annotations) {
+      if (tokenize_string(area,start_of_annotations,s,tokens,
+                          routerdesc_token_table,TS_NOCHECK)) {
+        log_warn(LD_DIR, "Error tokenizing router descriptor (annotations).");
+        goto err;
+      }
+    } else {
+      log_warn(LD_DIR, "Found unexpected annotations on router descriptor not "
+               "loaded from disk.  Dropping it.");
       goto err;
     }
   }