diff --git a/CHANGES b/CHANGES
index acf2a42829..2de65a62e5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+2004.	[bug]		dns_tsig_sign() could pass a NULL pointer to
+			dst_context_destroy() when cleaning up after a
+			error. [RT #15835]
+
 2003.	[bug]		libbind: The DNS name/address lookup functions could
 			occasionally follow a random pointer due to
 			structures not being completely zeroed. [RT #15806]
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index fe91525852..ff1c798bc5 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.124 2006/01/27 23:57:46 marka Exp $
+ * $Id: tsig.c,v 1.125 2006/03/08 03:51:01 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -765,7 +765,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		goto cleanup_signature;
 	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
+		goto cleanup_rdata;
 	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				   dns_rdatatype_tsig, &tsig, dynbuf);
 	if (ret != ISC_R_SUCCESS)
@@ -781,7 +781,7 @@ dns_tsig_sign(dns_message_t *msg) {
 	owner = NULL;
 	ret = dns_message_gettempname(msg, &owner);
 	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
+		goto cleanup_rdata;
 	dns_name_init(owner, NULL);
 	ret = dns_name_dup(&key->name, msg->mctx, owner);
 	if (ret != ISC_R_SUCCESS)
@@ -813,18 +813,17 @@ dns_tsig_sign(dns_message_t *msg) {
 	dns_message_puttemprdatalist(msg, &datalist);
  cleanup_owner:
 	dns_message_puttempname(msg, &owner);
-	goto cleanup_context;
-
+	goto cleanup_rdata;
  cleanup_dynbuf:
 	isc_buffer_free(&dynbuf);
+ cleanup_rdata:
+	dns_message_puttemprdata(msg, &rdata);
  cleanup_signature:
 	if (tsig.signature != NULL)
 		isc_mem_put(mctx, tsig.signature, sigsize);
-
  cleanup_context:
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-	dst_context_destroy(&ctx);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
 	return (ret);
 }