diff --git a/CHANGES b/CHANGES
index 1890342708..bae6fd8eca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3299.	[bug]		Make SDB handle errors from database drivers better.
+			[RT #28534]
+
 3298.	[bug]		Named could dereference a NULL pointer in
 			zmgr_start_xfrin_ifquota if the zone was being removed.
 			[RT #28419]
diff --git a/bin/named/query.c b/bin/named/query.c
index b53462101b..0a0f8d2b12 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -3379,6 +3379,11 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 		dns_name_copy(name, cname, NULL);
 		while (result == DNS_R_NXDOMAIN) {
 			labels = dns_name_countlabels(cname) - 1;
+			/*
+			 * Sanity check.
+			 */
+			if (labels == 0U)
+				goto cleanup;
 			dns_name_split(cname, labels, NULL, cname);
 			result = dns_db_findext(db, cname, version,
 						dns_rdatatype_nsec,
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 04eae41a14..43017b7bd2 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -845,10 +845,17 @@ findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		dns_name_getlabelsequence(name, nlabels - i, i, xname);
 		result = findnodeext(db, xname, ISC_FALSE, methods,
 				     clientinfo, &node);
-		if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND) {
+			/*
+			 * No data at zone apex?
+			 */
+			if (i == olabels)
+				return (DNS_R_BADDB);
 			result = DNS_R_NXDOMAIN;
 			continue;
 		}
+		if (result != ISC_R_SUCCESS)
+			return (result);
 
 		/*
 		 * Look for a DNAME at the current label, unless this is