diff --git a/CHANGES b/CHANGES
index d9009196e1..7f98f6c8cd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2853.	[bug]		add_sigs() could run out of scratch space. [RT #21015]
+
 2852.	[bug]		Handle broken DNSSEC trust chains better. [RT #15619]
 
 2851.	[doc]		nslookup.1, removed <informalexample> from the docbook
diff --git a/bin/named/update.c b/bin/named/update.c
index f9a3e2817a..07a4306bcf 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.179 2009/12/30 02:43:09 marka Exp $ */
+/* $Id: update.c,v 1.180 2010/02/26 01:39:49 marka Exp $ */
 
 #include <config.h>
 
@@ -1941,6 +1941,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
 				    rdataset.ttl, &sig_rdata));
 		dns_rdata_reset(&sig_rdata);
+		isc_buffer_init(&buffer, data, sizeof(data));
 		added_sig = ISC_TRUE;
 	}
 	if (!added_sig) {
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 21f9291979..5220ca12b4 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.557 2010/01/26 23:33:10 fdupont Exp $ */
+/* $Id: zone.c,v 1.558 2010/02/26 01:39:49 marka Exp $ */
 
 /*! \file */
 
@@ -4735,6 +4735,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
 				    name, rdataset.ttl, &sig_rdata));
 		dns_rdata_reset(&sig_rdata);
+		isc_buffer_init(&buffer, data, sizeof(data));
 	}
 
  failure: