diff --git a/CHANGES b/CHANGES
index d01988be49..9b8df60af6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3765.	[bug]		Fixed a bug in "rndc secroots" that could crash
+			named when dumping an empty keynode. [RT #35469]
+
 3764.	[bug]		The dnssec-keygen/settime -S and -i options
 			(to set up a successor key and set the prepublication
 			interval) were missing from dnssec-keyfromlabel.
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index f6b6bb22cc..56fefcd2c1 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -576,6 +576,8 @@ dns_keytable_dump(dns_keytable_t *keytable, FILE *fp)
 
 		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
 		for (knode = node->data; knode != NULL; knode = knode->next) {
+			if (knode->key == NULL)
+				continue;
 			dst_key_format(knode->key, pbuf, sizeof(pbuf));
 			fprintf(fp, "%s ; %s\n", pbuf,
 				knode->managed ? "managed" : "trusted");