diff --git a/CHANGES b/CHANGES
index d374179850..c9de9cfd9a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,9 @@
 			``named`` now sets the DON'T FRAGMENT flag on outgoing
 			UDP packets. [GL #2183]
 
+5665.	[bug]		'nsupdate' did not retry with another server if
+			it received a REFUSED response. [GL #2758]
+
 5664.	[func]		Handle a UDP sending error on UDP messages larger
 			than the path MTU; in such a case an empty response is
 			sent back with the TC (TrunCated) bit set. Re-enable
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 3b18892ba9..69bcfe0742 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2661,6 +2661,17 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 	check_result(result, "dns_request_getresponse");
+
+	if (rcvmsg->rcode == dns_rcode_refused) {
+		next_server("recvsoa", addr, DNS_R_REFUSED);
+		dns_message_detach(&rcvmsg);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		dns_message_settsigkey(soaquery, NULL);
+		sendrequest(&servers[ns_inuse], soaquery, &request);
+		return;
+	}
+
 	section = DNS_SECTION_ANSWER;
 	POST(section);
 	if (debugging) {