diff --git a/CHANGES b/CHANGES
index 7792f29c9f..5beab0f4fc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4680.	[bug]		Fix failing over to another master server address when
+			nsupdate is used with GSS-API. [RT #45380]
+
 4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
 			not at top of zone and -o is not used. [RT #45519]
 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 2ef75905a2..eaac2ef2fc 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2950,11 +2950,17 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (eresult != ISC_R_SUCCESS) {
-		next_master("recvgss", addr, eresult);
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
-		dns_message_renderreset(tsigquery);
-		sendrequest(&master_servers[master_inuse], tsigquery, &request);
+		if (!next_master("recvgss", addr, eresult)) {
+			dns_message_destroy(&tsigquery);
+			failed_gssrequest();
+		} else {
+			dns_message_renderreset(tsigquery);
+			memmove(kserver, &master_servers[master_inuse],
+				sizeof(isc_sockaddr_t));
+			send_gssrequest(kserver, tsigquery, &request, context);
+		}
 		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
 		isc_event_free(&event);
 		return;