diff --git a/plugin/sign/setup.go b/plugin/sign/setup.go
index e5f5295a0..ed3e6bda0 100644
--- a/plugin/sign/setup.go
+++ b/plugin/sign/setup.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"math/rand"
 	"path/filepath"
+	"strings"
 	"time"
 
 	"github.com/coredns/caddy"
@@ -50,6 +51,11 @@ func parse(c *caddy.Controller) (*Sign, error) {
 			dbfile = filepath.Join(config.Root, dbfile)
 		}
 
+		// Validate dbfile token to avoid infinite signing loops caused by invalid paths
+		if strings.ContainsRune(dbfile, '\uFFFD') {
+			return nil, fmt.Errorf("dbfile %q contains invalid characters", dbfile)
+		}
+
 		origins := plugin.OriginsFromArgsOrServerBlock(c.RemainingArgs(), c.ServerBlockKeys)
 		signers := make([]*Signer, len(origins))
 		for i := range origins {
diff --git a/plugin/sign/setup_test.go b/plugin/sign/setup_test.go
index 93d779a26..cb4a6f522 100644
--- a/plugin/sign/setup_test.go
+++ b/plugin/sign/setup_test.go
@@ -73,3 +73,14 @@ func TestParse(t *testing.T) {
 		}
 	}
 }
+
+// With setup validation in place, an invalid utf-8 dbfile token must cause parse() to error.
+func TestParseRejectsInvalidDbfileToken(t *testing.T) {
+	input := "sign \"\xff\" 8.44.in-addr.arpa. 9.44.in-addr.arpa. {}"
+	c := caddy.NewTestController("dns", input)
+
+	_, err := parse(c)
+	if err == nil {
+		t.Fatalf("expected parse to fail for invalid dbfile token")
+	}
+}