diff --git a/CHANGES b/CHANGES
index 82c5192041..b9c2042a0e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5737.	[bug]		Address Coverity warning in lib/dns/dnssec.c.
+			[GL #2935]
+
 5736.	[placeholder]
 
 5735.	[cleanup]	The result codes which BIND 9 uses internally are now
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 6e1dc30f7c..450c34f7b6 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -943,7 +943,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 	dst_context_t *ctx = NULL;
 	isc_mem_t *mctx;
 	isc_result_t result;
-	bool signeedsfree = true;
 
 	REQUIRE(msg != NULL);
 	REQUIRE(key != NULL);
@@ -1032,7 +1031,6 @@ dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
 				    dynbuf));
 
 	isc_mem_put(mctx, sig.signature, sig.siglen);
-	signeedsfree = false;
 
 	dns_message_takebuffer(msg, &dynbuf);
 
@@ -1053,7 +1051,7 @@ failure:
 	if (dynbuf != NULL) {
 		isc_buffer_free(&dynbuf);
 	}
-	if (signeedsfree) {
+	if (sig.signature != NULL) {
 		isc_mem_put(mctx, sig.signature, sig.siglen);
 	}
 	if (ctx != NULL) {