diff --git a/g10/ChangeLog b/g10/ChangeLog
index b38ebe2fb..e3ed14642 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,17 @@
+2005-02-06  David Shaw  <dshaw@jabberwocky.com>
+
+	* trustdb.h, trustdb.c (trustdb_check_or_update): New.  If the
+	trustdb is dirty and --interactive is set, do an --update-trustdb.
+	If not interactive, do a --check_trustdb unless
+	--no-auto-check-trustdb is set.
+
+	* import.c (import_keys_internal): Moved from here.
+
+	* keyserver.c (keyserver_refresh): Call it here after all
+	refreshing has happened so that we don't rebuild after each
+	preferred keyserver set of imports, but do one big rebuild at the
+	end.  This is Debian bug #293816, noted by Kurt Roeckx.
+
 2005-02-04  David Shaw  <dshaw@jabberwocky.com>
 
 	* getkey.c (merge_selfsigs_subkey): Merged away definition from
diff --git a/g10/import.c b/g10/import.c
index 4119b01c1..0554e4dbb 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1,6 +1,6 @@
 /* import.c - import a key into our key storage.
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
- *               2004, 2005 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+ *               2005 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -193,18 +193,15 @@ import_keys_internal( IOBUF inp, char **fnames, int nnames,
         import_print_stats (stats);
         import_release_stats_handle (stats);
     }
+
     /* If no fast import and the trustdb is dirty (i.e. we added a key
        or userID that had something other than a selfsig, a signature
        that was other than a selfsig, or any revocation), then
        update/check the trustdb if the user specified by setting
        interactive or by not setting no-auto-check-trustdb */
-    if (!(options&IMPORT_FAST) && trustdb_pending_check())
-      {
-	if (opt.interactive)
-	  update_trustdb();
-	else if (!opt.no_auto_check_trustdb)
-	  check_trustdb();
-      }
+
+    if(!(options&IMPORT_FAST))
+      trustdb_check_or_update();
 
     return rc;
 }
diff --git a/g10/keyserver.c b/g10/keyserver.c
index fb3f11d5e..7389d1e60 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -35,6 +35,7 @@
 #include "ttyio.h"
 #include "options.h"
 #include "packet.h"
+#include "trustdb.h"
 #include "keyserver-internal.h"
 #include "util.h"
 
@@ -1628,11 +1629,17 @@ keyserver_refresh(STRLIST users)
 {
   int rc,count,numdesc,fakev3=0;
   KEYDB_SEARCH_DESC *desc;
+  unsigned int options=opt.keyserver_options.import_options;
 
-  /* We switch merge_only on during a refresh, as 'refresh' should
-     never import new keys, even if their keyids match.  Is it worth
-     preserving the old merge_only value here? */
-  opt.import_options|=IMPORT_MERGE_ONLY;
+  /* We switch merge-only on during a refresh, as 'refresh' should
+     never import new keys, even if their keyids match. */
+  opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY;
+
+  /* Similarly, we switch on fast-import, since refresh may make
+     multiple import sets (due to preferred keyserver URLs).  We don't
+     want each set to rebuild the trustdb.  Instead we do it once at
+     the end here. */
+  opt.keyserver_options.import_options|=IMPORT_FAST;
 
   /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO
      scheme, then enable fake v3 keyid generation. */
@@ -1696,6 +1703,13 @@ keyserver_refresh(STRLIST users)
 
   m_free(desc);
 
+  opt.keyserver_options.import_options=options;
+
+  /* If the original options didn't have fast import, and the trustdb
+     is dirty, rebuild. */
+  if(!(opt.keyserver_options.import_options&IMPORT_FAST))
+    trustdb_check_or_update();
+
   return rc;
 }
 
diff --git a/g10/trustdb.c b/g10/trustdb.c
index 8dccef7a9..d69b872ca 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -624,6 +624,20 @@ trustdb_pending_check(void)
   return pending_check_trustdb;
 }
 
+/* If the trustdb is dirty, and we're interactive, update it.
+   Otherwise, check it unless no-auto-check-trustdb is set. */
+void
+trustdb_check_or_update(void)
+{
+  if(trustdb_pending_check())
+    {
+      if(opt.interactive)
+	update_trustdb();
+      else if(!opt.no_auto_check_trustdb)
+	check_trustdb();
+    }
+}
+
 void
 read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck,
 		   byte *marginals,byte *completes,byte *cert_depth)
diff --git a/g10/trustdb.h b/g10/trustdb.h
index baeab3fa4..8bcaae51e 100644
--- a/g10/trustdb.h
+++ b/g10/trustdb.h
@@ -1,6 +1,6 @@
 /* trustdb.h - Trust database
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003,
- *               2004 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
+ *               2005 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -53,6 +53,7 @@ int string_to_trust_value (const char *str);
 
 void revalidation_mark (void);
 int trustdb_pending_check(void);
+void trustdb_check_or_update(void);
 
 int cache_disabled_value(PKT_public_key *pk);