diff --git a/CHANGES b/CHANGES
index 9e44d1a7ff..808ed300f0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 	--- 9.10.2rc2 released ---
 
+4060.	[bug]		dns_rdata_freestruct could be call on a uninitialised
+			structure when handling a error. [RT #38568]
+
 4059.	[bug]		Addressed valgrind warnings. [RT #38549]
 
 4058.	[bug]		UDP dispatches could use the wrong psuedorandom
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index fd559176e5..263988b575 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1403,6 +1403,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
 	unsigned char array[1024];
+	isc_boolean_t freertkey = ISC_FALSE;
 
 	REQUIRE(qmsg != NULL);
 	REQUIRE(rmsg != NULL);
@@ -1415,6 +1416,7 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 
 	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
 	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+	freertkey = ISC_TRUE;
 
 	if (win2k == ISC_TRUE)
 		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
@@ -1467,7 +1469,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
 	/*
 	 * XXXSRA This probably leaks memory from qtkey.
 	 */
-	dns_rdata_freestruct(&rtkey);
+	if (freertkey)
+		dns_rdata_freestruct(&rtkey);
 	if (dstkey != NULL)
 		dst_key_free(&dstkey);
 	return (result);