diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index c6a96ff9df..27adb5a31f 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -410,13 +410,20 @@ fetch_callback_dnskey(isc_task_t *task, isc_event_t *event) {
 	val->fetch = NULL;
 	if (CANCELED(val)) {
 		validator_done(val, ISC_R_CANCELED);
-	} else if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3), "keyset with trust %s",
+	} else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+		/*
+		 * We have an answer to our DNSKEY query.  Either the DNSKEY
+		 * RRset or a NODATA response.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+			      eresult == ISC_R_SUCCESS ? "keyset"
+						       : "NCACHENXRRSET",
 			      dns_trust_totext(rdataset->trust));
 		/*
-		 * Only extract the dst key if the keyset is secure.
+		 * Only extract the dst key if the keyset exists and is secure.
 		 */
-		if (rdataset->trust >= dns_trust_secure) {
+		if (eresult == ISC_R_SUCCESS &&
+		    rdataset->trust >= dns_trust_secure) {
 			result = select_signing_key(val, rdataset);
 			if (result == ISC_R_SUCCESS) {
 				val->keyset = &val->frdataset;