diff --git a/CHANGES b/CHANGES
index 06f7551637..e472d096bf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3110.	[bug]		dnssec-signzone: Wrong error message could appear
+			when attempting to sign with no KSK. [RT #24369]
+
 3109.	[func]		The also-notify option now uses the same syntax
 			as a zone's masters clause.  This means it is
 			now possible to specify a TSIG key to use when
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 1fdb4becf4..a639c72941 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.275 2011/05/06 21:08:33 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.276 2011/05/07 00:31:13 each Exp $ */
 
 /*! \file */
 
@@ -3906,6 +3906,8 @@ main(int argc, char *argv[]) {
 		nokeys = ISC_TRUE;
 	}
 
+	warnifallksk(gdb);
+
 	if (IS_NSEC3) {
 		unsigned int max;
 		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
@@ -3915,8 +3917,6 @@ main(int argc, char *argv[]) {
 			      "strength. Maximum iterations allowed %u.", max);
 	}
 
-	warnifallksk(gdb);
-
 	gversion = NULL;
 	result = dns_db_newversion(gdb, &gversion);
 	check_result(result, "dns_db_newversion()");