diff --git a/CHANGES b/CHANGES
index 005667c306..ef39c1f1fd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+1413.	[func]		Explictly request the (re-)generation of DS records from
+			keysets (dnssec-signzone -g).
+
 1412.	[func]		You can now specify servers to be tried if a nameserver
 			has IPv6 address and you only support IPv4 or the
 			reverse. See dual-stack-servers.
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 0a008b3667..e07e76236c 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.165 2002/12/03 05:01:34 marka Exp $ */
+/* $Id: dnssec-signzone.c,v 1.166 2003/01/18 00:24:09 marka Exp $ */
 
 #include <config.h>
 
@@ -117,6 +117,7 @@ static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
 static unsigned int assigned = 0, completed = 0;
 static isc_boolean_t nokeys = ISC_FALSE;
 static isc_boolean_t removefile = ISC_FALSE;
+static isc_boolean_t generateds = ISC_FALSE;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -756,16 +757,43 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 	 */
 	if (isdelegation) {
 		dns_rdataset_t dsset;
+		dns_rdataset_t sigdsset;
 
 		dns_rdataset_init(&dsset);
-		result = loadds(name, &dsset);
+		dns_rdataset_init(&sigdsset);
+		result = dns_db_findrdataset(gdb, node, gversion,
+					     dns_rdatatype_ds,
+					     0, 0, &dsset, &sigdsset);
 		if (result == ISC_R_SUCCESS) {
-			result = dns_db_addrdataset(gdb, node, gversion, 0,
-						    &dsset, 0, NULL);
-			check_result(result, "dns_db_deleterdataset");
-			hasds = ISC_TRUE;
 			dns_rdataset_disassociate(&dsset);
+			if (generateds) {
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion,
+							       dns_rdatatype_ds,
+							       0);
+				check_result(result, "dns_db_deleterdataset");
+			} else
+				hasds = ISC_TRUE;
 		}
+		if (generateds) {
+			result = loadds(name, &dsset);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_db_addrdataset(gdb, node,
+							    gversion, 0,
+							    &dsset, 0, NULL);
+				check_result(result, "dns_db_addrdataset");
+				hasds = ISC_TRUE;
+				dns_rdataset_disassociate(&dsset);
+			} else if (dns_rdataset_isassociated(&sigdsset)) {
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion,
+							       dns_rdatatype_sig,
+							       dns_rdatatype_ds);
+				check_result(result, "dns_db_deleterdataset");
+				dns_rdataset_disassociate(&sigdsset);
+			}
+		} else if (dns_rdataset_isassociated(&sigdsset))
+			dns_rdataset_disassociate(&sigdsset);
 	}
 
 	/*
@@ -807,6 +835,9 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 			if (hasds)
 				nxt_setbit(name, &rdataset, dns_rdatatype_ds,
 					   1);
+			else
+				nxt_setbit(name, &rdataset, dns_rdatatype_ds,
+					   0);
 		}
 
 		signset(&diff, node, name, &rdataset);
@@ -1385,6 +1416,8 @@ usage(void) {
 	fprintf(stderr, "\t-c class (IN)\n");
 	fprintf(stderr, "\t-d directory\n");
 	fprintf(stderr, "\t\tdirectory to find keyset files (.)\n");
+	fprintf(stderr, "\t-g:\t");
+	fprintf(stderr, "generate DS records from keyset files\n");
 	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
 	fprintf(stderr, "\t\tSIG start time - absolute|offset (now - 1 hour)\n");
 	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
@@ -1479,7 +1512,7 @@ main(int argc, char *argv[]) {
 	dns_result_register();
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "c:s:e:i:v:o:f:ahpr:td:n:Sk:"))
+					   "ac:de:f:ghi:k:n:v:o:pr:s:St:"))
 	       != -1) {
 		switch (ch) {
 		case 'c':
@@ -1494,6 +1527,10 @@ main(int argc, char *argv[]) {
 			endstr = isc_commandline_argument;
 			break;
 
+		case 'g':
+			generateds = ISC_TRUE;
+			break;
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 75d77cc62d..93d1be9198 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -16,7 +16,7 @@
  - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.3 2002/11/04 00:16:05 marka Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.4 2003/01/18 00:24:09 marka Exp $ -->
 
 <refentry>
   <refentryinfo>
@@ -40,6 +40,7 @@
       <arg><option>-a</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-g</option></arg>
       <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
       <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
@@ -102,6 +103,16 @@
 	</listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-g</term>
+	<listitem>
+	  <para>
+		Generate DS records for child zones from keyset files.
+		Existing DS records will be removed.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-s <replaceable class="parameter">start-time</replaceable></term>
 	<listitem>