diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 08962c546b..bd819571d7 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.2 1999/09/02 00:00:22 explorer Exp $
+ * $Id: dnssec.c,v 1.3 1999/09/03 19:05:49 bwelling Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -194,6 +194,34 @@ cleanup:
 	return (ret);
 }
 
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key)
+{
+	isc_buffer_t b, namebuf;
+	isc_region_t r;
+	isc_result_t ret;
+	char namestr[1024];
+
+	INSIST(name != NULL);
+	INSIST(rdata != NULL);
+	INSIST(mctx != NULL);
+	INSIST(key != NULL);
+	INSIST(*key == NULL);
+
+	isc_buffer_init(&namebuf, namestr, sizeof(namestr) - 1,
+			ISC_BUFFERTYPE_TEXT);
+	ret = dns_name_totext(name, ISC_FALSE, &namebuf);
+	if (ret != ISC_R_SUCCESS)
+		return ret;
+	isc_buffer_used(&namebuf, &r);
+	namestr[r.length] = 0;
+	dns_rdata_toregion(rdata, &r);
+	isc_buffer_init(&b, r.base, r.length, ISC_BUFFERTYPE_BINARY);
+	isc_buffer_add(&b, r.length);
+	return (dst_key_fromdns(namestr, &b, mctx, key));
+}
+
 isc_result_t
 dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		isc_stdtime_t *inception, isc_stdtime_t *expire,
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index aa22b8d008..c4afc45298 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -42,6 +42,27 @@ dns_dnssec_add_trusted_key(dst_key_t *key, isc_mem_t *mctx);
  *		ISC_R_NOMEMORY
  */
 
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key);
+/*
+ *	Creates a DST key from a DNS record.  Basically a wrapper around
+ *	dst_key_fromdns().
+ *
+ *	Requires:
+ *		'name' is not NULL
+ *		'rdata' is not NULL
+ *		'mctx' is not NULL
+ *		'key' is not NULL
+ *		'*key' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DST_R_INVALIDPUBLICKEY
+ *		various errors from dns_name_totext
+ */
+
 isc_result_t
 dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 		isc_stdtime_t *inception, isc_stdtime_t *expire,