diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 6eba231ca6..b41a9726ca 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8781,6 +8781,19 @@ rctx_answer_any(respctx_t *rctx) {
 		rdataset->trust = rctx->trust;
 	}
 
+	/*
+	 * An RRSIG query is handled as a subset of ANY; if every record in
+	 * the answer was filtered out above, nothing was marked cacheable,
+	 * so there is nothing to cache, validate, or chase.  Treat that as a
+	 * broken answer instead of returning success with no answer, which
+	 * would leave the fetch waiting for a validator that is never
+	 * started.
+	 */
+	if (!rctx->aname->attributes.cache) {
+		rctx->result = DNS_R_FORMERR;
+		return ISC_R_COMPLETE;
+	}
+
 	return ISC_R_SUCCESS;
 }