diff --git a/CHANGES b/CHANGES
index 50774d602d..28e7a721e4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]
+
+4765.	[bug]		Address potential INSIST in dnssec-cds. [RT #46150]
+
 4764.	[bug]		Address portability issues in cds system test.
 			[RT #46214]
 
diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c
index 521f7bd7aa..56237823c1 100644
--- a/bin/dnssec/dnssec-cds.c
+++ b/bin/dnssec/dnssec-cds.c
@@ -360,13 +360,14 @@ load_parent_set(const char *path) {
 	free_db(&db, &node);
 }
 
+#define MAX_CDS_RDATA_TEXT_SIZE DNS_RDATA_MAXLENGTH * 2
+
 static isc_buffer_t *
 formatset(dns_rdataset_t *rdataset) {
 	isc_result_t result;
 	isc_buffer_t *buf = NULL;
 	dns_master_style_t *style = NULL;
 	unsigned int styleflags;
-	unsigned int size;
 
 	styleflags = (rdataset->ttl == 0) ? DNS_STYLEFLAG_NO_TTL : 0;
 
@@ -378,23 +379,17 @@ formatset(dns_rdataset_t *rdataset) {
 	result = dns_master_stylecreate2(&style, styleflags,
 					 0, 0, 0, 0, 0, 1000000, 0,
 					 mctx);
+	check_result(result, "dns_master_stylecreate2 failed");
 
-	size = 256;
-	do {
-		result = isc_buffer_allocate(mctx, &buf, size);
-		check_result(result, "printing DS records");
-		result = dns_master_rdatasettotext(name, rdataset,
-						   style, buf);
-		if (result == ISC_R_NOSPACE ||
-		    isc_buffer_availablelength(buf) < 1)
-		{
-			vbprintf(20, "formatset buffer size %u\n", size);
-			isc_buffer_free(&buf);
-			size *= 2;
-		} else {
-			check_result(result, "dns_rdataset_totext()");
-		}
-	} while (result != ISC_R_SUCCESS);
+	result = isc_buffer_allocate(mctx, &buf, MAX_CDS_RDATA_TEXT_SIZE);
+	check_result(result, "printing DS records");
+	result = dns_master_rdatasettotext(name, rdataset, style, buf);
+
+	if ((result == ISC_R_SUCCESS) && isc_buffer_availablelength(buf) < 1) {
+		result = ISC_R_NOSPACE;
+	}
+
+	check_result(result, "dns_rdataset_totext()");
 
 	isc_buffer_putuint8(buf, 0);
 
diff --git a/lib/irs/getnameinfo.c b/lib/irs/getnameinfo.c
index 1134a1acd8..c5f987dd75 100644
--- a/lib/irs/getnameinfo.c
+++ b/lib/irs/getnameinfo.c
@@ -320,6 +320,7 @@ getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
 		case DNS_R_NOVALIDDS:
 		case DNS_R_NOVALIDSIG:
 			ERR(EAI_INSECUREDATA);
+			/* NOTREACHED */
 		default:
 			ERR(EAI_FAIL);
 		}
diff --git a/lib/ns/query.c b/lib/ns/query.c
index ee156efe6a..7e19ff06fc 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -8353,7 +8353,6 @@ query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer,
 	dns_ttl_t ttl;
 	isc_buffer_t *dbuf, b;
 	isc_result_t result;
-	dns_rdataset_t *clone = NULL, *sigclone = NULL;
 
 	/*
 	 * Detemine the correct TTL to use for the SOA and RRSIG
@@ -8413,12 +8412,6 @@ cleanup:
 	if (name != NULL) {
 		query_releasename(qctx->client, &name);
 	}
-	if (clone != NULL) {
-		query_putrdataset(qctx->client, &clone);
-	}
-	if (sigclone != NULL) {
-		query_putrdataset(qctx->client, &sigclone);
-	}
 	return (result);
 }
 
@@ -8746,7 +8739,6 @@ query_coveringnsec(query_ctx_t *qctx) {
 	dns_fixedname_t fsigner;
 	dns_fixedname_t fwild;
 	dns_name_t *fname = NULL;
-	dns_name_t *name = NULL;
 	dns_name_t *nowild = NULL;
 	dns_name_t *signer = NULL;
 	dns_name_t *wild = NULL;
@@ -8891,6 +8883,7 @@ query_coveringnsec(query_ctx_t *qctx) {
 		{
 			goto cleanup;
 		}
+		/* FALLTHROUGH */
 	case DNS_R_CNAME:
 		if (!qctx->resuming && !STALE(&rdataset) &&
 		    rdataset.ttl == 0 && RECURSIONOK(qctx->client))
@@ -8997,9 +8990,6 @@ query_coveringnsec(query_ctx_t *qctx) {
 		}
 		dns_db_detach(&db);
 	}
-	if (name != NULL) {
-		query_releasename(qctx->client, &name);
-	}
 
 	if (redirected) {
 		return (result);