diff --git a/opendkim/opendkim-dns.c b/opendkim/opendkim-dns.c
index 434527d..b5138ec 100644
--- a/opendkim/opendkim-dns.c
+++ b/opendkim/opendkim-dns.c
@@ -81,6 +81,7 @@ struct dkimf_unbound_cb_data
 	DKIM_STAT		ubd_stat;
 	size_t			ubd_buflen;
 	u_char *		ubd_buf;
+	const char *		ubd_strerror;
 };
 
 /*
@@ -101,19 +102,22 @@ dkimf_unbound_cb(void *mydata, int err, struct ub_result *result)
 	struct dkimf_unbound_cb_data *ubdata;
 
 	ubdata = (struct dkimf_unbound_cb_data *) mydata;
-	ubdata->ubd_done = FALSE;
-	ubdata->ubd_stat = DKIM_STAT_NOKEY;
-	ubdata->ubd_rcode = result->rcode;
-	memcpy(ubdata->ubd_buf, result->answer_packet,
-	       MIN(ubdata->ubd_buflen, result->answer_len));
-	ubdata->ubd_buflen = result->answer_len;
 
 	if (err != 0)
 	{
+		ubdata->ubd_done = TRUE;
 		ubdata->ubd_stat = DKIM_STAT_INTERNAL;
+		ubdata->ubd_strerror = ub_strerror(err);
 		return;
 	}
 
+	ubdata->ubd_done = FALSE;
+	ubdata->ubd_stat = DKIM_STAT_NOKEY;
+	ubdata->ubd_rcode = result->rcode;
+	memcpy(ubdata->ubd_buf, result->answer_packet,
+	       MIN(ubdata->ubd_buflen, result->answer_len));
+	ubdata->ubd_buflen = result->answer_len;
+
 	/*
 	**  Check whether reply is either secure or insecure.  If bogus,
 	**  treat as if no key exists.
@@ -375,6 +379,7 @@ dkimf_ub_query(void *srv, int type, unsigned char *query,
 	ubdata = (struct dkimf_unbound_cb_data *) malloc(sizeof *ubdata);
 	if (ubdata == NULL)
 		return DKIM_DNS_ERROR;
+	memset(ubdata, '\0', sizeof *ubdata);
 
 	status = dkimf_unbound_queue(ub, (char *) query, type, buf, buflen,
 	                             ubdata);