diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey
index 8ce60f8507c..12c38d83b97 100644
--- a/selftest/knownfail.d/dns_tkey
+++ b/selftest/knownfail.d/dns_tkey
@@ -1,7 +1,6 @@
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_keyname.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_mac.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_answers.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_answers.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_algorithm.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm1.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_additional.fl2008r2dc
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 3ac3cd4b2b1..1f46ee0aa19 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -799,12 +799,22 @@ static WERROR handle_tkey(struct dns_server *dns,
 {
 	struct dns_res_rec *in_tkey = NULL;
 	struct dns_res_rec *ret_tkey;
-	uint16_t i;
 
-	for (i = 0; i < in->arcount; i++) {
+	/*
+	 * TKEY needs to we the last one in
+	 * additional or answers
+	 */
+	if (in->arcount >= 1) {
+		uint16_t i = in->arcount - 1;
 		if (in->additional[i].rr_type == DNS_QTYPE_TKEY) {
 			in_tkey = &in->additional[i];
-			break;
+		}
+	} else if (in->nscount >= 1) {
+		/* no lookup */
+	} else if (in->ancount >= 1) {
+		uint16_t i = in->ancount - 1;
+		if (in->answers[i].rr_type == DNS_QTYPE_TKEY) {
+			in_tkey = &in->answers[i];
 		}
 	}