diff --git a/CHANGES b/CHANGES
index 6bed7e4752..acfa7f552e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4038.	[bug]		Add 'rpz' flag to node and use it to determine whether
+			to call dns_rpz_delete.  This should prevent unbalanced
+			add / delete calls. [RT #36888]
+
 4037.	[bug]		also-notify was ignoring the tsig key when checking
 			for duplicates resulting in some expected notify
 			messages not being sent. [RT #38369]
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index 34c7f7ef96..7c3a5e7ad7 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -126,6 +126,9 @@ struct dns_rbtnode {
 	unsigned int down_is_relative : 1;
 	unsigned int data_is_relative : 1;
 
+	/* node needs to be cleaned from rpz */
+	unsigned int rpz : 1;
+
 #ifdef DNS_RBT_USEHASH
 	unsigned int hashval;
 #endif
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 7a440274aa..2ad3b782c2 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -2186,6 +2186,7 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	node->right_is_relative = 0;
 	node->parent_is_relative = 0;
 	node->data_is_relative = 0;
+	node->rpz = 0;
 
 #ifdef DNS_RBT_USEHASH
 	HASHNEXT(node) = NULL;
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index d491b6a45a..36d9c72914 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1834,7 +1834,7 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
 
 	switch (node->nsec) {
 	case DNS_RBT_NSEC_NORMAL:
-		if (rbtdb->rpzs != NULL) {
+		if (rbtdb->rpzs != NULL && node->rpz) {
 			dns_fixedname_init(&fname);
 			name = dns_fixedname_name(&fname);
 			dns_rbt_fullnamefromnode(node, name);
@@ -1873,9 +1873,9 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node)
 					      isc_result_totext(result));
 			}
 		}
-		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
-		if (rbtdb->rpzs != NULL)
+		if (rbtdb->rpzs != NULL && node->rpz)
 			dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name);
+		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
 		break;
 	case DNS_RBT_NSEC_NSEC:
 		result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE);
@@ -2901,6 +2901,8 @@ findnodeintree(dns_rbtdb_t *rbtdb, dns_rbt_t *tree, dns_name_t *name,
 		fname = dns_fixedname_name(&fnamef);
 		dns_rbt_fullnamefromnode(node, fname);
 		result = dns_rpz_add(rbtdb->rpzs, rbtdb->rpz_num, fname);
+		if (result == ISC_R_SUCCESS)
+			node->rpz = 1;
 		if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) {
 			/*
 			 * It is too late to give up, so merely complain.
@@ -7063,7 +7065,9 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
 	if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) {
 		noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num,
 					 name);
-		if (noderesult != ISC_R_SUCCESS) {
+		if (noderesult == ISC_R_SUCCESS) {
+			node->rpz = 1;
+		} else  {
 			/*
 			 * Remove the node we just added above.
 			 */
@@ -7121,6 +7125,11 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
 	}
 
 	if (noderesult == ISC_R_SUCCESS) {
+		/*
+		 * Clean rpz entries added above.
+		 */
+		if (rbtdb->rpzs != NULL && node->rpz)
+			dns_rpz_delete(rbtdb->load_rpzs, rbtdb->rpz_num, name);
 		/*
 		 * Remove the node we just added above.
 		 */
@@ -7135,8 +7144,6 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
 				      "dns_rbt_addnode(NSEC): %s",
 				      isc_result_totext(tmpresult),
 				      isc_result_totext(noderesult));
-		if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS)
-			dns_rpz_delete(rbtdb->load_rpzs, rbtdb->rpz_num, name);
 	}
 
 	/*