diff --git a/TODO b/TODO
index 62693f06..3b256c32 100644
--- a/TODO
+++ b/TODO
@@ -2,7 +2,7 @@ Todo:
 * DNSSEC validation
 * NSEC(3) secure denial of existence
 * Unknown RRs
-* fix os.Erros usage 
+* fix os.Erros usage, add DNSSEC related errors
 * AXFR/IXFR support
 
 Tesing:
diff --git a/dnssec.go b/dnssec.go
index 19ee4263..d5848f1f 100644
--- a/dnssec.go
+++ b/dnssec.go
@@ -106,8 +106,18 @@ func (k *RR_DNSKEY) KeyTag() uint16 {
 
 // Validate an rrset with the signature and key. This is the
 // cryptographic test, the validity period most be check separately.
-func (s *RR_RRSIG) Secure(rrset []RR, key *RR_DNSKEY) bool {
-	return false
+func (s *RR_RRSIG) Secure(rrset []RR, k *RR_DNSKEY) bool {
+        // Frist the easy checks
+        if s.KeyTag != k.KeyTag() {
+                return false
+        }
+        if s.Hdr.Class != k.Hdr.Class {
+                return false
+        }
+        if s.Algorithm != k.Algorithm {
+                return false
+        }
+	return true
 }
 
 // Using RFC1982 calculate if a signature period is valid
diff --git a/dnssec_test.go b/dnssec_test.go
index 22e5e882..1b9c85f6 100644
--- a/dnssec_test.go
+++ b/dnssec_test.go
@@ -20,4 +20,18 @@ func TestSecure(t *testing.T) {
 	sig.SignerName = "miek.nl."
 	sig.Sig = "AwEAAaHIwpx3w4VHKi6i1LHnTaWeHCL154Jug0Rtc9ji5qwPXpBo6A5sRv7cSsPQKPIwxLpyCrbJ4mr2L0EPOdvP6z6YfljK2ZmTbogU9aSU2fiq/4wjxbdkLyoDVgtO+JsxNN4bjr4WcWhsmk1Hg93FV9ZpkWb0Tbad8DFqNDzr//kZ"
 
+	key := new(RR_DNSKEY)
+	key.Hdr.Name = "miek.nl"
+	key.Hdr.Rrtype = TypeDNSKEY
+	key.Hdr.Class = ClassINET
+	key.Hdr.Ttl = 3600
+	key.Flags = 256
+	key.Protocol = 3
+	key.Algorithm = AlgRSASHA256
+	key.PubKey = "AwEAAcNEU67LJI5GEgF9QLNqLO1SMq1EdoQ6E9f85ha0k0ewQGCblyW2836GiVsm6k8Kr5ECIoMJ6fZWf3CQSQ9ycWfTyOHfmI3eQ/1Covhb2y4bAmL/07PhrL7ozWBW3wBfM335Ft9xjtXHPy7ztCbV9qZ4TVDTW/Iyg0PiwgoXVesz"
+
+        if ! sig.Secure(nil, key) {
+                t.Log("It is not secure")
+                t.Fail()
+        }
 }