diff --git a/CHANGES b/CHANGES
index c019c97e90..7b0cce818b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4588.	[bug]		nsupdate could send queries for TKEY to the wrong
+			server when using GSSAPI. Thanks to Tomas Hozza.
+			[RT #39893]
+
 4587.	[bug]		named-checkzone failed to handle occulted data below
 			DNAMEs correctly. [RT #44877]
 
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 3b3949d4fa..ffbc7e12f5 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2751,10 +2751,8 @@ start_gssrequest(dns_name_t *master) {
 		if (kserver == NULL)
 			fatal("out of memory");
 	}
-	if (servers == NULL)
-		get_addresses(namestr, dnsport, kserver, 1);
-	else
-		memmove(kserver, &servers[ns_inuse], sizeof(isc_sockaddr_t));
+
+	memmove(kserver, &master_servers[master_inuse], sizeof(isc_sockaddr_t));
 
 	dns_fixedname_init(&fname);
 	servname = dns_fixedname_name(&fname);
@@ -2899,11 +2897,11 @@ recvgss(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (eresult != ISC_R_SUCCESS) {
-		next_server("recvgss", addr, eresult);
+		next_master("recvgss", addr, eresult);
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
 		dns_message_renderreset(tsigquery);
-		sendrequest(&servers[ns_inuse], tsigquery, &request);
+		sendrequest(&master_servers[master_inuse], tsigquery, &request);
 		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
 		isc_event_free(&event);
 		return;