diff --git a/CHANGES b/CHANGES
index 65e1f290e0..35b32936fe 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4229.	[bug]		A variable could be used uninitalised in
+			dns_update_signaturesinc. [RT #40784]
+
 4228.	[bug]		Address race condition in dns_client_destroyrestrans.
 			[RT #40605]
 
diff --git a/lib/dns/update.c b/lib/dns/update.c
index 052d0f9b12..7f780d12a7 100644
--- a/lib/dns/update.c
+++ b/lib/dns/update.c
@@ -1361,7 +1361,7 @@ struct dns_update_state {
 	unsigned int nkeys;
 	isc_stdtime_t inception, expire;
 	dns_ttl_t nsecttl;
-	isc_boolean_t check_ksk, keyset_kskonly;
+	isc_boolean_t check_ksk, keyset_kskonly, build_nsec3;
 	enum { sign_updates, remove_orphaned, build_chain, process_nsec,
 	       sign_nsec, update_nsec3, process_nsec3, sign_nsec3 } state;
 };
@@ -1376,7 +1376,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 	dns_update_state_t mystate, *state;
 
 	dns_difftuple_t *t, *next;
-	isc_boolean_t flag, build_nsec, build_nsec3;
+	isc_boolean_t flag, build_nsec;
 	unsigned int i;
 	isc_stdtime_t now;
 	dns_rdata_soa_t soa;
@@ -1405,6 +1405,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		dns_diff_init(diff->mctx, &state->nsec_mindiff);
 		dns_diff_init(diff->mctx, &state->work);
 		state->nkeys = 0;
+		state->build_nsec3 = ISC_FALSE;
 
 		result = find_zone_keys(zone, db, newver, diff->mctx,
 					DNS_MAXZONEKEYS, state->zone_keys,
@@ -1569,7 +1570,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		 * See if we need to build NSEC or NSEC3 chains.
 		 */
 		CHECK(dns_private_chains(db, newver, privatetype, &build_nsec,
-					 &build_nsec3));
+					 &state->build_nsec3));
 		if (!build_nsec) {
 			state->state = update_nsec3;
 			goto next_state;
@@ -1832,7 +1833,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		INSIST(ISC_LIST_EMPTY(state->nsec_diff.tuples));
 		INSIST(ISC_LIST_EMPTY(state->nsec_mindiff.tuples));
 
-		if (!build_nsec3) {
+		if (!state->build_nsec3) {
 			update_log(log, zone, ISC_LOG_DEBUG(3),
 				   "no NSEC3 chains to rebuild");
 			goto failure;