diff --git a/CHANGES b/CHANGES
index 3b54061009..ef9599fcda 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4175.	[bug]		TKEY with GSS-API keys needed bigger buffers.
+			[RT #40333]
+
 4174.	[bug]		"dnssec-coverage -r" didn't handle time unit
 			suffixes correctly. [RT #38444]
 
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index 9cbfe7931f..3a3af34a98 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -633,7 +633,6 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 	if (gouttoken.length != 0U) {
 		GBUFFER_TO_REGION(gouttoken, r);
 		RETERR(isc_buffer_copyregion(outtoken, &r));
-		(void)gss_release_buffer(&minor, &gouttoken);
 	}
 
 	if (gret == GSS_S_COMPLETE)
@@ -642,6 +641,8 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
 		result = DNS_R_CONTINUE;
 
  out:
+	if (gouttoken.length != 0U)
+		(void)gss_release_buffer(&minor, &gouttoken);
 	(void)gss_release_name(&minor, &gname);
 	return (result);
 #else
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 34ad90bca3..a69b4c9bf5 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -15,9 +15,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/*
- * $Id$
- */
 /*! \file */
 #include <config.h>
 
@@ -48,6 +45,7 @@
 
 #include "dst_internal.h"
 
+#define TEMP_BUFFER_SZ 8192
 #define TKEY_RANDOM_AMOUNT 16
 
 #ifdef PKCS11CRYPTO
@@ -74,19 +72,38 @@ tkey_log(const char *fmt, ...) {
 }
 
 static void
-_dns_tkey_dumpmessage(dns_message_t *msg) {
+dumpmessage(dns_message_t *msg) {
 	isc_buffer_t outbuf;
-	unsigned char output[4096];
+	unsigned char *output;
+	int len = TEMP_BUFFER_SZ;
 	isc_result_t result;
 
-	isc_buffer_init(&outbuf, output, sizeof(output));
-	result = dns_message_totext(msg, &dns_master_style_debug, 0,
-				    &outbuf);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "Warning: dns_message_totext returned: %s\n",
-			dns_result_totext(result));
-	fprintf(stderr, "%.*s\n", (int)isc_buffer_usedlength(&outbuf),
-		(char *)isc_buffer_base(&outbuf));
+	for (;;) {
+		output = isc_mem_get(msg->mctx, len);
+		if (output == NULL)
+			return;
+
+		isc_buffer_init(&outbuf, output, len);
+		result = dns_message_totext(msg, &dns_master_style_debug,
+					    0, &outbuf);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(msg->mctx, output, len);
+			len *= 2;
+			continue;
+		}
+
+		if (result == ISC_R_SUCCESS)
+			tkey_log("%.*s",
+				 (int)isc_buffer_usedlength(&outbuf),
+				 (char *)isc_buffer_base(&outbuf));
+		else
+			tkey_log("Warning: dns_message_totext: %s",
+				 dns_result_totext(result));
+		break;
+	}
+
+	if (output != NULL)
+		isc_mem_put(msg->mctx, output, len);
 }
 
 isc_result_t
@@ -866,6 +883,7 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	dns_rdata_t *rdata = NULL;
 	isc_buffer_t *dynbuf = NULL, *anamebuf = NULL, *qnamebuf = NULL;
 	isc_result_t result;
+	unsigned int len;
 
 	REQUIRE(msg != NULL);
 	REQUIRE(name != NULL);
@@ -878,9 +896,10 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	dns_rdataset_makequestion(question, dns_rdataclass_any,
 				  dns_rdatatype_tkey);
 
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 4096));
-	RETERR(isc_buffer_allocate(msg->mctx, &anamebuf, DNS_NAME_MAXWIRE));
-	RETERR(isc_buffer_allocate(msg->mctx, &qnamebuf, DNS_NAME_MAXWIRE));
+	len = 16 + tkey->algorithm.length + tkey->keylen + tkey->otherlen;
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, len));
+	RETERR(isc_buffer_allocate(msg->mctx, &anamebuf, name->length));
+	RETERR(isc_buffer_allocate(msg->mctx, &qnamebuf, name->length));
 	RETERR(dns_message_gettemprdata(msg, &rdata));
 
 	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
@@ -896,10 +915,10 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
 
 	dns_name_init(qname, NULL);
-	dns_name_copy(name, qname, qnamebuf);
+	RETERR(dns_name_copy(name, qname, qnamebuf));
 
 	dns_name_init(aname, NULL);
-	dns_name_copy(name, aname, anamebuf);
+	RETERR(dns_name_copy(name, aname, anamebuf));
 
 	ISC_LIST_APPEND(qname->list, question, link);
 	ISC_LIST_APPEND(aname->list, tkeyset, link);
@@ -934,7 +953,6 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 		isc_buffer_free(&qnamebuf);
 	if (anamebuf != NULL)
 		isc_buffer_free(&anamebuf);
-	printf("buildquery error\n");
 	return (result);
 }
 
@@ -1026,7 +1044,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 	isc_result_t result;
 	isc_stdtime_t now;
 	isc_buffer_t token;
-	unsigned char array[4096];
+	unsigned char array[TEMP_BUFFER_SZ];
 
 	UNUSED(intoken);
 
@@ -1063,12 +1081,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
 	tkey.other = NULL;
 	tkey.otherlen = 0;
 
-	RETERR(buildquery(msg, name, &tkey, win2k));
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	return (result);
+	return (buildquery(msg, name, &tkey, win2k));
 }
 
 isc_result_t
@@ -1298,8 +1311,8 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
 		tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
 			 "or error set(2) %d", rtkey.error);
-		_dns_tkey_dumpmessage(qmsg);
-		_dns_tkey_dumpmessage(rmsg);
+		dumpmessage(qmsg);
+		dumpmessage(rmsg);
 		result = DNS_R_INVALIDTKEY;
 		goto failure;
 	}