diff --git a/bind-9.11-rh1236087.patch b/bind-9.11-rh1236087.patch
new file mode 100644
index 0000000..569db9b
--- /dev/null
+++ b/bind-9.11-rh1236087.patch
@@ -0,0 +1,46 @@
+From 66b71679b78ad6cf2c4e5c8c1216b602e0fe1e9b Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Thu, 20 Apr 2017 09:28:37 -0700
+Subject: [PATCH] [master] nsupdate: send tkey queries to the right server
+
+4588.	[bug]		nsupdate could send queries for TKEY to the wrong
+			server when using GSSAPI. Thanks to Tomas Hozza.
+			[RT #39893]
+---
+ bin/nsupdate/nsupdate.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
+index 9572fd8..8fc5b20 100644
+--- a/bin/nsupdate/nsupdate.c
++++ b/bin/nsupdate/nsupdate.c
+@@ -2799,10 +2799,8 @@ start_gssrequest(dns_name_t *master) {
+ 		if (kserver == NULL)
+ 			fatal("out of memory");
+ 	}
+-	if (servers == NULL)
+-		get_addresses(namestr, dnsport, kserver, 1);
+-	else
+-		memmove(kserver, &servers[ns_inuse], sizeof(isc_sockaddr_t));
++
++	memmove(kserver, &master_servers[master_inuse], sizeof(isc_sockaddr_t));
+ 
+ 	dns_fixedname_init(&fname);
+ 	servname = dns_fixedname_name(&fname);
+@@ -2947,11 +2945,11 @@ recvgss(isc_task_t *task, isc_event_t *event) {
+ 	}
+ 
+ 	if (eresult != ISC_R_SUCCESS) {
+-		next_server("recvgss", addr, eresult);
++		next_master("recvgss", addr, eresult);
+ 		ddebug("Destroying request [%p]", request);
+ 		dns_request_destroy(&request);
+ 		dns_message_renderreset(tsigquery);
+-		sendrequest(&servers[ns_inuse], tsigquery, &request);
++		sendrequest(&master_servers[master_inuse], tsigquery, &request);
+ 		isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));
+ 		isc_event_free(&event);
+ 		return;
+-- 
+2.9.3
+
diff --git a/bind.spec b/bind.spec
index 2f3af4d..7374b45 100644
--- a/bind.spec
+++ b/bind.spec
@@ -25,7 +25,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.10.4
-Release:  4%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
+Release:  5%{?PATCHVER:.%{PATCHVER}}%{?PREVER:.%{PREVER}}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -82,6 +82,7 @@ Patch136:bind-9.10-dist-native-pkcs11.patch
 # introduced by https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=fc9f0ac5778f78003a7acc957a23711811fec122
 Patch137:bind-9.10-use-of-strlcat.patch
 Patch138:bind-9.10-docbook-xsl.patch
+Patch139: bind-9.11-rh1236087.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -312,6 +313,7 @@ Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz>
 %patch130 -p1 -b .libdb
 %patch131 -p1 -b .multlib-conflict
 %patch138 -p1 -b .docbook-xsl
+%patch139 -p1 -b .rh1236087
 
 %if %{PKCS11}
 cp -r bin/named{,-pkcs11}
@@ -1008,6 +1010,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Mon Apr 24 2017 Petr Menšík <pemensik@redhat.com> - 32:9.10.4-5.P8
+- Fix queries for TKEY in nsupdate, when using GSSAPI (#1236087)
+
 * Thu Apr 13 2017 Petr Menšík <pemensik@redhat.com> - 32:9.10.4-4.P8
 - Update to 9.10.4-P8