diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index e7c6ffc4c9..09851c1e1a 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.23 2000/03/06 21:31:08 bwelling Exp $
+ * $Id: dnssec.c,v 1.24 2000/03/13 19:27:33 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -774,7 +774,7 @@ dns_dnssec_verifymessage(dns_message_t *msg, dst_key_t *key) {
 		goto failure;
 	}
 
-	msg->verified_sig0 = 1;
+	msg->verified_sig = 1;
 
 	dns_rdata_freestruct(&sig);
 
@@ -784,5 +784,7 @@ failure:
 	if (signeedsfree)
 		dns_rdata_freestruct(&sig);
 
+	msg->verify_attempted = 1;
+
 	return (result);
 }
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 362113b917..5b5886641c 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -169,7 +169,8 @@ struct dns_message {
 	unsigned int			header_ok : 1;
 	unsigned int			question_ok : 1;
 	unsigned int			tcp_continuation : 1;
-	unsigned int			verified_sig0 : 1;
+	unsigned int			verified_sig : 1;
+	unsigned int			verify_attempted : 1;
 
 	unsigned int			opt_reserved;
 	unsigned int			reserved; /* reserved space (render) */
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 5705467de2..877eb99d71 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -312,7 +312,8 @@ msginit(dns_message_t *m)
 	m->header_ok = 0;
 	m->question_ok = 0;
 	m->tcp_continuation = 0;
-	m->verified_sig0 = 0;
+	m->verified_sig = 0;
+	m->verify_attempted = 0;
 }
 
 static inline void
@@ -2124,6 +2125,8 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
 		dns_name_t *sig0name;
 		dns_rdata_generic_sig_t sig;
 
+		if (msg->verify_attempted == 0)
+			result = DNS_R_NOTVERIFIEDYET;
 		result = dns_message_firstname(msg, DNS_SECTION_SIG0);
 		if (result != ISC_R_SUCCESS)
 			return (ISC_R_NOTFOUND);
@@ -2141,19 +2144,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
 		if (result != ISC_R_SUCCESS)
 			return (result);
 		
-		if (msg->sig0status != dns_rcode_noerror)
-			result = DNS_R_SIGINVALID;
-		else if (msg->verified_sig0 == 0)
-			result = DNS_R_NOTVERIFIEDYET;
-		else
+		if (msg->verified_sig && msg->sig0status != dns_rcode_noerror)
 			result = ISC_R_SUCCESS;
+		else
+			result = DNS_R_SIGINVALID;
 		dns_name_toregion(&sig.signer, &r);
 		dns_name_fromregion(signer, &r);
 		dns_rdata_freestruct(&sig);
 	}
 	else {
 		dns_name_t *identity;
-		if (msg->tsigstatus != dns_rcode_noerror)
+		if (msg->verify_attempted == 0)
+			result = DNS_R_NOTVERIFIEDYET;
+		else if (msg->tsigstatus != dns_rcode_noerror)
 			result = DNS_R_TSIGVERIFYFAILURE;
 		else if (msg->tsig->error != dns_rcode_noerror)
 			result = DNS_R_TSIGERRORSET;
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 65cf9e7861..e3a4e328cb 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.46 2000/02/03 23:44:01 halley Exp $
+ * $Id: tsig.c,v 1.47 2000/03/13 19:27:34 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -562,6 +562,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	if (msg->tsigkey != NULL)
 		REQUIRE(VALID_TSIG_KEY(msg->tsigkey));
 
+	msg->verify_attempted = 1;
+
 	if (msg->tcp_continuation)
 		return(dns_tsig_verify_tcp(source, msg));
 
@@ -776,6 +778,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			return (DNS_R_TSIGERRORSET);
 	}
 
+	msg->verified_sig = 1;
+
 	return (ISC_R_SUCCESS);
 
 cleanup_key: