diff --git a/CHANGES b/CHANGES
index d380aabc4e..225fb4cd88 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,17 @@
 
+3.2.0-dev.53 | 2020-02-18 12:12:28 -0800
+
+  * Make DNS NSEC3 parsing more resilient to introducing a memory leak
+    when no dns_NSEC3 handler exists (Max Kellermann)
+
+  * analyzer/protocol/dns: change runtime check to assert() (Max Kellermann)
+
+    If it were legal to call SendReplyOrRejectEvent() without an
+    EventHandlerPtr, then this would leak the `question_name` object.  But
+    this method has just one caller, and it verifies the EventHandlerPtr.
+
+  * Fix memory leak when no dns_TSIG_addl event handler exists (Max Kellermann)
+
 3.2.0-dev.46 | 2020-02-14 22:02:50 -0800
 
   * Fix code format of various reporter btests (Jon Siwek, Corelight)
diff --git a/VERSION b/VERSION
index 5972b3e517..a47090db7c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.2.0-dev.46
+3.2.0-dev.53
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index db072ffeb3..38293f92ac 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -769,7 +769,7 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 	unsigned int sign_time_msec = ExtractShort(data, len);
 	unsigned int fudge = ExtractShort(data, len);
 	BroString* request_MAC;
-	ExtractOctets(data, len, &request_MAC);
+	ExtractOctets(data, len, dns_TSIG_addl ? &request_MAC : nullptr);
 	unsigned int orig_id = ExtractShort(data, len);
 	unsigned int rr_error = ExtractShort(data, len);
 	ExtractOctets(data, len, 0);  // Other Data
@@ -1129,6 +1129,8 @@ int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
 			msg->BuildNSEC3_Val(&nsec3),
 		});
 		}
+	else
+		Unref(char_strings);
 
 	return 1;
 	}
@@ -1415,14 +1417,15 @@ void DNS_Interpreter::SendReplyOrRejectEvent(DNS_MsgInfo* msg,
 	RR_Type qtype = RR_Type(ExtractShort(data, len));
 	int qclass = ExtractShort(data, len);
 
-	if ( event )
-		analyzer->ConnectionEventFast(event, {
-			analyzer->BuildConnVal(),
-			msg->BuildHdrVal(),
-			new StringVal(question_name),
-			val_mgr->GetCount(qtype),
-			val_mgr->GetCount(qclass),
-		});
+	assert(event);
+
+	analyzer->ConnectionEventFast(event, {
+		analyzer->BuildConnVal(),
+		msg->BuildHdrVal(),
+		new StringVal(question_name),
+		val_mgr->GetCount(qtype),
+		val_mgr->GetCount(qclass),
+	});
 	}