diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index 6f5a7eb4e3..7bba2c9ecc 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -153,6 +153,29 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
  *	Any other result indicates an error.
  */
 
+isc_result_t 
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+		                             dns_keynode_t **nextnodep);
+/*
+ * Search for the next key with the same properties as 'keynode' in
+ * 'keytable'.
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'keynode' is a valid keynode.
+ *
+ *	nextnodep != NULL && *nextnodep == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Any other result indicates an error.
+ */
+
 isc_result_t
 dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
 			      dns_name_t *foundname);
@@ -225,12 +248,6 @@ dns_keynode_key(dns_keynode_t *keynode);
  * Get the DST key associated with keynode.
  */
 
-dns_keynode_t *
-dns_keynode_next(dns_keynode_t *keynode);
-/*
- * Get the next keynode in the list.
- */
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_KEYTABLE_H */
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index 0921ddc734..847f508709 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -281,6 +281,39 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 	return (result);
 }
 
+isc_result_t
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			     dns_keynode_t **nextnodep)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+
+	/*
+	 * Search for the next key with the same properties as 'keynode' in
+	 * 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
+
+	for (knode = keynode->next; knode != NULL; knode = knode->next) {
+		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
+		    dst_key_id(keynode->key) == dst_key_id(knode->key))
+			break;
+	}
+	if (knode != NULL) {
+		LOCK(&keytable->lock);
+		keytable->active_nodes++;
+		UNLOCK(&keytable->lock);
+		result = ISC_R_SUCCESS;
+		*nextnodep = knode;
+	} else
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
 isc_result_t
 dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
 			      dns_name_t *foundname)
@@ -372,15 +405,3 @@ dns_keynode_key(dns_keynode_t *keynode) {
 
 	return (keynode->key);
 }
-
-dns_keynode_t *
-dns_keynode_next(dns_keynode_t *keynode) {
-
-	/*
-	 * Get the next keynode in the list.
-	 */
-
-	REQUIRE(VALID_KEYNODE(keynode));
-
-	return (keynode->next);
-}
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 4b7a7d39cc..7f5ea89658 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -888,9 +888,18 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 			if (result == ISC_R_SUCCESS)
 				break;
 			if (val->keynode != NULL) {
-				val->keynode = dns_keynode_next(val->keynode);
-				if (val->keynode == NULL)
+				dns_keynode_t *nextnode = NULL;
+				result = dns_keytable_findnextkeynode(
+							val->keytable,
+							val->keynode,
+							&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &val->keynode);
+				val->keynode = nextnode;
+				if (result != ISC_R_SUCCESS) {
+					val->key = NULL;
 					break;
+				}
 				val->key = dns_keynode_key(val->keynode);
 			}
 			else
@@ -918,7 +927,7 @@ validate(dns_validator_t *val, isc_boolean_t resume) {
 		else
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "verify failure: %s",
-				      dns_result_totext(result));
+				      isc_result_totext(result));
 	}
 	INSIST(result == ISC_R_NOMORE);