diff --git a/router/java/src/net/i2p/router/networkdb/kademlia/FloodfillVerifyStoreJob.java b/router/java/src/net/i2p/router/networkdb/kademlia/FloodfillVerifyStoreJob.java
index 9ffda0201e34912afc0e9a4a2e3459e09328436d..d0f94131ccb1d700cabc47282eeda97ec20c0829 100644
--- a/router/java/src/net/i2p/router/networkdb/kademlia/FloodfillVerifyStoreJob.java
+++ b/router/java/src/net/i2p/router/networkdb/kademlia/FloodfillVerifyStoreJob.java
@@ -19,6 +19,7 @@ import net.i2p.router.MessageSelector;
 import net.i2p.router.ReplyJob;
 import net.i2p.router.RouterContext;
 import net.i2p.router.TunnelInfo;
+import net.i2p.router.util.MaskedIPSet;
 import net.i2p.util.Log;
 
 /**
@@ -39,11 +40,13 @@ class FloodfillVerifyStoreJob extends JobImpl {
     private final boolean _isRouterInfo;
     private MessageWrapper.WrappedMessage _wrappedMessage;
     private final Set<Hash> _ignore;
+    private final MaskedIPSet _ipSet;
     
     private static final int START_DELAY = 18*1000;
     private static final int START_DELAY_RAND = 9*1000;
     private static final int VERIFY_TIMEOUT = 20*1000;
     private static final int MAX_PEERS_TO_TRY = 4;
+    private static final int IP_CLOSE_BYTES = 3;
     
     /**
      *  Delay a few seconds, then start the verify
@@ -60,7 +63,10 @@ class FloodfillVerifyStoreJob extends JobImpl {
         _facade = facade;
         _ignore = new HashSet<Hash>(MAX_PEERS_TO_TRY);
         if (sentTo != null) {
+            _ipSet = new MaskedIPSet(ctx, sentTo, IP_CLOSE_BYTES);
             _ignore.add(_sentTo);
+        } else {
+            _ipSet = new MaskedIPSet(4);
         }
         // wait some time before trying to verify the store
         getTiming().setStartAfter(ctx.clock().now() + START_DELAY + ctx.random().nextInt(START_DELAY_RAND));
@@ -188,10 +194,19 @@ class FloodfillVerifyStoreJob extends JobImpl {
                     break;
                 Hash peer = peers.get(0);
                 RouterInfo ri = _facade.lookupRouterInfoLocally(peer);
-                if (ri != null && StoreJob.supportsCert(ri, keyCert))
-                    return peer;
-                if (_log.shouldLog(Log.INFO))
-                    _log.info(getJobId() + ": Skipping verify w/ router that doesn't support key certs " + peer);
+                if (ri != null && StoreJob.supportsCert(ri, keyCert)) {
+                    Set<String> peerIPs = new MaskedIPSet(getContext(), ri, IP_CLOSE_BYTES);
+                    if (!_ipSet.containsAny(peerIPs)) {
+                        _ipSet.addAll(peerIPs);
+                        return peer;
+                    } else {
+                        if (_log.shouldLog(Log.INFO))
+                            _log.info(getJobId() + ": Skipping verify w/ router too close to the store " + peer);
+                    }
+                } else {
+                    if (_log.shouldLog(Log.INFO))
+                        _log.info(getJobId() + ": Skipping verify w/ router that doesn't support key certs " + peer);
+                }
                 _ignore.add(peer);
             }
         } else {
diff --git a/router/java/src/net/i2p/router/util/MaskedIPSet.java b/router/java/src/net/i2p/router/util/MaskedIPSet.java
index bfcecfd7c3ee87f074cd516cd5e50a6cc62e99ed..eaf3b6e7e3ccf14af8ed52dcb16840ba440d6b1e 100644
--- a/router/java/src/net/i2p/router/util/MaskedIPSet.java
+++ b/router/java/src/net/i2p/router/util/MaskedIPSet.java
@@ -32,17 +32,31 @@ public class MaskedIPSet extends HashSet<String> {
       *
       * As of 0.9.24, returned set will include netdb family as well.
       *
+      * @param peer non-null
       * @param mask is 1-4 (number of bytes to match)
       * @return an opaque set of masked IPs for this peer
       */
     public MaskedIPSet(RouterContext ctx, Hash peer, int mask) {
+        this(ctx, ctx.netDb().lookupRouterInfoLocally(peer), mask);
+    }
+
+    /**
+      * The Set of IPs for this peer, with a given mask.
+      * Includes the comm system's record of the IP, and all netDb addresses.
+      *
+      * As of 0.9.24, returned set will include netdb family as well.
+      *
+      * @param pinfo may be null
+      * @param mask is 1-4 (number of bytes to match)
+      * @return an opaque set of masked IPs for this peer
+      */
+    public MaskedIPSet(RouterContext ctx, RouterInfo pinfo, int mask) {
         super(4);
-        byte[] commIP = ctx.commSystem().getIP(peer);
-        if (commIP != null)
-            add(maskedIP(commIP, mask));
-        RouterInfo pinfo = ctx.netDb().lookupRouterInfoLocally(peer);
         if (pinfo == null)
             return;
+        byte[] commIP = ctx.commSystem().getIP(pinfo.getHash());
+        if (commIP != null)
+            add(maskedIP(commIP, mask));
         Collection<RouterAddress> paddr = pinfo.getAddresses();
         for (RouterAddress pa : paddr) {
             byte[] pib = pa.getIP();