From d87d9518747436c37526e6bb830d57dd3f2e58d4 Mon Sep 17 00:00:00 2001
From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 8 Jul 2015 17:15:27 +0200
Subject: [PATCH] set ds_signer only when actually signed

---
 src/dnssec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index 929949e9..61e561de 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -2336,9 +2336,9 @@ static int chain_node_get_trusted_keys(
 		node->ds_signer = keytag;
 		return GETDNS_DNSSEC_INSECURE;
 	}
-	if ((keytag = key_matches_signer(ta, &node->ds))) {
-		node->ds_signer = keytag;
-		if (a_key_signed_rrset(ta, &node->ds) &&
+	if (key_matches_signer(ta, &node->ds)) {
+		
+		if ((node->ds_signer = a_key_signed_rrset(ta, &node->ds)) &&
 		   (keytag = ds_authenticates_keys(&node->ds, &node->dnskey))){
 
 			*keys = &node->dnskey;