diff --git a/CHANGES b/CHANGES
index 4f7ace543a..d0ed6212f3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2331.	[bug]		Failure to regenerate any signatures was not being reported
+			or past back to the UPDATE client. [RT #17570]
+
 2330.	[bug]		Remove potential race condition when handling
 			over memory events. [RT #17572]
 
diff --git a/bin/named/update.c b/bin/named/update.c
index de529036f1..10c7682d73 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.141 2008/01/18 23:46:57 tbox Exp $ */
+/* $Id: update.c,v 1.142 2008/02/07 03:12:15 marka Exp $ */
 
 #include <config.h>
 
@@ -1675,10 +1675,11 @@ ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
  * Add RRSIG records for an RRset, recording the change in "diff".
  */
 static isc_result_t
-add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
-	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire, isc_boolean_t check_ksk)
+add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
+	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
+	 isc_mem_t *mctx, isc_stdtime_t inception, isc_stdtime_t expire,
+	 isc_boolean_t check_ksk)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -1687,6 +1688,7 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	isc_buffer_t buffer;
 	unsigned char data[1024]; /* XXX */
 	unsigned int i;
+	isc_boolean_t added_sig = ISC_FALSE;
 
 	dns_rdataset_init(&rdataset);
 	isc_buffer_init(&buffer, data, sizeof(data));
@@ -1716,6 +1718,13 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name,
 				    rdataset.ttl, &sig_rdata));
 		dns_rdata_reset(&sig_rdata);
+		added_sig = ISC_TRUE;
+	}
+	if (!added_sig) {
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "found no private keys, "
+			   "unable to generate any signatures");
+		result = ISC_R_NOTFOUND;
 	}
 
  failure:
@@ -1847,9 +1856,9 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 */
 			CHECK(rrset_exists(db, newver, name, type, 0, &flag));
 			if (flag) {
-				CHECK(add_sigs(db, newver, name, type,
-					       &sig_diff, zone_keys, nkeys,
-					       client->mctx, inception,
+				CHECK(add_sigs(client, zone, db, newver, name,
+					       type, &sig_diff, zone_keys,
+					       nkeys, client->mctx, inception,
 					       expire, check_ksk));
 			}
 		skip:
@@ -2033,10 +2042,10 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					dns_rdatatype_rrsig, dns_rdatatype_nsec,
 					NULL, &sig_diff));
 		} else if (t->op == DNS_DIFFOP_ADD) {
-			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
-				       &sig_diff, zone_keys, nkeys,
-				       client->mctx, inception, expire,
-				       check_ksk));
+			CHECK(add_sigs(client, zone, db, newver, &t->name,
+				       dns_rdatatype_nsec, &sig_diff,
+				       zone_keys, nkeys, client->mctx,
+				       inception, expire, check_ksk));
 		} else {
 			INSIST(0);
 		}