diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index a1763a1fe..7437d93b8 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -436,12 +436,12 @@ can_resolve_root() {
 enable_dnssec() {
 	local status=$(unbound-control get_option val-permissive-mode)
 
-	# Don't do anything if DNSSEC is already activated
-	[ "${status}" = "no" ] && return 0
-
 	# Log DNSSEC status
 	echo "on" > /var/ipfire/red/dnssec-status
 
+	# Don't do anything if DNSSEC is already activated
+	[ "${status}" = "no" ] && return 0
+
 	# Activate DNSSEC and flush cache with any stale and unvalidated data
 	unbound-control -q set_option val-permissive-mode: no
 	unbound-control -q flush_zone .