diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index f770a9cc70..b3c0a52a29 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1970,6 +1970,13 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
 	dns_rdataset_t rdataset = DNS_RDATASET_INIT;
+
+	result = dns_dnssec_keyfromrdata(val->name, keyrdata, val->view->mctx,
+					 &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		return result;
+	}
+
 	dns_rdataset_clone(val->sigrdataset, &rdataset);
 
 	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
@@ -1983,22 +1990,14 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
 		if (keyid != sig.keyid || algorithm != sig.algorithm) {
 			continue;
 		}
-		if (dstkey == NULL) {
-			result = dns_dnssec_keyfromrdata(
-				val->name, keyrdata, val->view->mctx, &dstkey);
-			if (result != ISC_R_SUCCESS) {
-				return result;
-			}
-		}
+
 		result = verify(val, dstkey, &rdata, sig.keyid);
 		if (result == ISC_R_SUCCESS || result == ISC_R_QUOTA) {
 			break;
 		}
 	}
 
-	if (dstkey != NULL) {
-		dst_key_free(&dstkey);
-	}
+	dst_key_free(&dstkey);
 	dns_rdataset_disassociate(&rdataset);
 
 	return result;