diff --git a/trifid-api/src/routes/v1/dnclient.rs b/trifid-api/src/routes/v1/dnclient.rs
index 8f2efaa..a6d2e80 100644
--- a/trifid-api/src/routes/v1/dnclient.rs
+++ b/trifid-api/src/routes/v1/dnclient.rs
@@ -74,7 +74,7 @@ pub async fn dnclient(
     let client_keys_2 = host_in_ks
         .client_keys
         .iter()
-        .find(|u| u.id == host_in_ks.current_client_key);;
+        .find(|u| u.id == host_in_ks.current_client_key);
 
     let signature = match Signature::from_slice(&req.signature) {
         Ok(sig) => sig,
@@ -91,21 +91,25 @@ pub async fn dnclient(
     };
 
     let mut valid = false;
-    let mut valid_key;
+    let mut valid_key = None;
 
     if let Some(client_keys) = client_keys {
         if client_keys.ed_pub.verify(req.message.as_bytes(), &signature).is_ok() {
             valid = true;
-            valid_key = client_keys;
+            valid_key = Some(client_keys);
         }
     }
     if let Some(client_keys_2) = client_keys_2 {
         if client_keys_2.ed_pub.verify(req.message.as_bytes(), &signature).is_ok() {
             valid = true;
-            valid_key = client_keys_2;
+            valid_key = Some(client_keys_2);
         }
     }
 
+    if client_keys.is_none() && client_keys_2.is_none() {
+        panic!("No valid keys for host {}", host);
+    }
+
     if !valid {
         // Be intentionally vague as the message is invalid.
         warn!("! invalid signature from {}", host);
@@ -117,7 +121,7 @@ pub async fn dnclient(
         }]);
     }
 
-    let client_keys = valid_key;
+    let client_keys = valid_key.unwrap();
 
     // Sig OK
     // Decode the message from base64