diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index a1df18a6af..4109a4f975 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -646,7 +646,7 @@ cleanup:
 
 isc_result_t
 dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
-		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     isc_region_t *intoken, isc_buffer_t **outtokenp,
 		     dns_gss_ctx_id_t *ctxout, dns_name_t *principal,
 		     isc_mem_t *mctx) {
 	isc_region_t r;
@@ -659,7 +659,7 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
 	isc_result_t result;
 	char buf[1024];
 
-	REQUIRE(outtoken != NULL && *outtoken == NULL);
+	REQUIRE(outtokenp != NULL && *outtokenp == NULL);
 	REQUIRE(*ctxout == NULL);
 
 	REGION_TO_GBUFFER(*intoken, gintoken);
@@ -740,10 +740,10 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
 	}
 
 	if (gouttoken.length > 0U) {
-		isc_buffer_allocate(mctx, outtoken,
+		isc_buffer_allocate(mctx, outtokenp,
 				    (unsigned int)gouttoken.length);
 		GBUFFER_TO_REGION(gouttoken, r);
-		CHECK(isc_buffer_copyregion(*outtoken, &r));
+		CHECK(isc_buffer_copyregion(*outtokenp, &r));
 		(void)gss_release_buffer(&minor, &gouttoken);
 	}
 
@@ -781,6 +781,10 @@ dst_gssapi_acceptctx(dns_gss_cred_id_t cred, const char *gssapi_keytab,
 	*ctxout = context;
 
 cleanup:
+	if (result != ISC_R_SUCCESS && *outtokenp != NULL) {
+		isc_buffer_free(outtokenp);
+	}
+
 	if (result != ISC_R_SUCCESS && context != GSS_C_NO_CONTEXT) {
 		(void)gss_delete_sec_context(&minor, &context, NULL);
 	}
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index a78dc83f03..072c85e984 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -540,13 +540,10 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 				      &intoken, &outtoken, &gss_ctx, principal,
 				      tctx->mctx);
 	if (result != ISC_R_SUCCESS) {
-		if (tsigkey != NULL) {
-			dns_tsigkey_detach(&tsigkey);
-		}
 		tkeyout->error = dns_tsigerror_badkey;
-		tkey_log("process_gsstkey(): dns_tsigerror_badkey"); /* XXXSRA
-								      */
-		return ISC_R_SUCCESS;
+		tkey_log("process_gsstkey(): dns_tsigerror_badkey");
+		result = ISC_R_SUCCESS;
+		goto cleanup;
 	}
 
 	/*
@@ -558,9 +555,11 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	isc_stdtime_get(&now);
 
 	if (dns_name_countlabels(principal) == 0U) {
-		if (tsigkey != NULL) {
-			dns_tsigkey_detach(&tsigkey);
-		}
+		tkeyout->error = dns_tsigerror_badkey;
+		tkey_log("process_gsstkey(): "
+			 "completed context with empty principal");
+		result = ISC_R_SUCCESS;
+		goto cleanup;
 	} else if (tsigkey == NULL) {
 #if HAVE_GSSAPI
 		OM_uint32 gret, minor, lifetime;
@@ -638,9 +637,9 @@ cleanup:
 		isc_buffer_free(&outtoken);
 	}
 
-	tkey_log("process_gsstkey(): %s", isc_result_totext(result)); /* XXXSRA
-								       */
-
+	if (result != ISC_R_SUCCESS) {
+		tkey_log("process_gsstkey(): %s", isc_result_totext(result));
+	}
 	return result;
 }