diff --git a/CHANGES b/CHANGES
index 9358dd184d..58f01a9f3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1980.	[func]		dnssec-signzone: output the SOA record as the
+			first record in the signed zone. [RT #15758]
+
 1979.	[port]		linux: allow named to drop core after changing
 			user ids. [RT #15753]
 
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 158524d794..dd3230e30e 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.193 2005/11/30 03:33:48 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.194 2006/02/03 00:13:57 marka Exp $ */
 
 /*! \file */
 
@@ -1091,6 +1091,32 @@ postsign(void) {
 	dns_dbiterator_destroy(&gdbiter);
 }
 
+/*%
+ * Sign the apex of the zone.
+ */
+static void
+signapex(void) {
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_result_t result;
+	
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	result = dns_dbiterator_current(gdbiter, &node, name);
+	check_result(result, "dns_dbiterator_current()");
+	signname(node, name);
+	dumpnode(name, node);
+	cleannode(gdb, gversion, node);
+	dns_db_detachnode(gdb, &node);
+	result = dns_dbiterator_next(gdbiter);
+	if (result == ISC_R_NOMORE)
+		finished = ISC_TRUE;
+	else if (result != ISC_R_SUCCESS)
+		fatal("failure iterating database: %s",
+		      isc_result_totext(result));
+}
+
 /*%
  * Assigns a node to a worker thread.  This is protected by the master task's
  * lock.
@@ -2088,6 +2114,7 @@ main(int argc, char *argv[]) {
 		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
 
 	presign();
+	signapex();
 	(void)isc_app_run();
 	if (!finished)
 		fatal("process aborted by user");