diff --git a/lib/dns/sec/dst/bsafe_link.c b/lib/dns/sec/dst/bsafe_link.c
index 5315ecc46e..a3a9e43452 100644
--- a/lib/dns/sec/dst/bsafe_link.c
+++ b/lib/dns/sec/dst/bsafe_link.c
@@ -19,7 +19,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: bsafe_link.c,v 1.4 1999/09/01 18:56:19 bwelling Exp $
+ * $Id: bsafe_link.c,v 1.5 1999/09/23 20:54:34 bwelling Exp $
  */
 
 #include <config.h>
@@ -100,6 +100,7 @@ static isc_boolean_t	dst_bsafe_compare(const dst_key_t *key1,
 					  const dst_key_t *key2);
 static dst_result_t	dst_bsafe_generate(dst_key_t *key, int exp,
 					   isc_mem_t *mctx);
+static isc_boolean_t	dst_bsafe_isprivate(const dst_key_t *key);
 static void		dst_bsafe_destroy(void *key, isc_mem_t *mctx);
 static dst_result_t	dst_bsafe_to_dns(const dst_key_t *in_key,
 					 isc_buffer_t *data);
@@ -123,6 +124,7 @@ dst_s_bsafe_init()
 	bsafe_functions.verify = dst_bsafe_verify;
 	bsafe_functions.compare = dst_bsafe_compare;
 	bsafe_functions.generate = dst_bsafe_generate;
+	bsafe_functions.isprivate = dst_bsafe_isprivate;
 	bsafe_functions.destroy = dst_bsafe_destroy;
 	bsafe_functions.to_dns = dst_bsafe_to_dns;
 	bsafe_functions.from_dns = dst_bsafe_from_dns;
@@ -195,8 +197,10 @@ dst_bsafe_sign(const unsigned int mode, dst_key_t *key, void **context,
 			return (DST_R_NOSPACE);
 		
 		rkey = (RSA_Key *) key->opaque;
-		if (rkey == NULL || rkey->rk_Private_Key == NULL)
+		if (rkey == NULL)
 			return (DST_R_NULLKEY);
+		if (rkey->rk_Private_Key == NULL)
+			return (DST_R_NOTPRIVATEKEY);
 
 		if ((status = B_CreateAlgorithmObject(&rsaEncryptor)) != 0)
 			return (DST_R_NOMEMORY);
@@ -320,8 +324,10 @@ dst_bsafe_verify(const unsigned int mode, dst_key_t *key, void **context,
 		isc_buffer_available(&work, &work_region);
 
 		rkey = (RSA_Key *) key->opaque;
-		if (rkey == NULL || rkey->rk_Public_Key == NULL)
+		if (rkey == NULL)
 			return (DST_R_NULLKEY);
+		if (rkey->rk_Public_Key == NULL)
+			return (DST_R_NOTPUBLICKEY);
 		if ((status = B_CreateAlgorithmObject(&rsaEncryptor)) != 0)
 			return (DST_R_NOMEMORY);
 		if ((status = B_SetAlgorithmInfo(rsaEncryptor,
@@ -373,6 +379,22 @@ dst_bsafe_verify(const unsigned int mode, dst_key_t *key, void **context,
 }
 
 
+/*
+ * dst_bsafe_isprivate
+ *	Is this a private key?
+ * Parameters
+ *	key		DST KEY structure
+ * Returns
+ *	ISC_TRUE
+ *	ISC_FALSE
+ */
+isc_boolean_t
+dst_bsafe_isprivate(const dst_key_t *key) {
+	RSA_Key *rkey = (RSA_Key *) key->opaque;
+	return (rkey != NULL && rkey->rk_Private_Key != NULL);
+}
+
+
 /*
  * dst_bsafe_to_dns
  *	Converts key from RSA to DNS distribution format
diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c
index f9c627ca2f..f964727a90 100644
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.9 1999/09/02 15:56:32 bwelling Exp $
+ * $Id: dst_api.c,v 1.10 1999/09/23 20:54:35 bwelling Exp $
  */
 
 #include <config.h>
@@ -580,6 +580,12 @@ dst_key_id(const dst_key_t *key) {
 	return key->key_id;
 }
 
+isc_boolean_t
+dst_key_isprivate(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->func->isprivate(key));
+}
+
 /*
  * dst_sig_size
  *	Computes the maximum size of a signature generated by the given key
diff --git a/lib/dns/sec/dst/dst_internal.h b/lib/dns/sec/dst/dst_internal.h
index 486c593d2e..9ede6460aa 100644
--- a/lib/dns/sec/dst/dst_internal.h
+++ b/lib/dns/sec/dst/dst_internal.h
@@ -65,6 +65,7 @@ struct dst_func {
 			       isc_region_t *sig, isc_mem_t *mctx);
 	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
 	dst_result_t (*generate)(dst_key_t *key, int parms, isc_mem_t *mctx);
+	isc_boolean_t (*isprivate)(const dst_key_t *key);
 	void (*destroy)(void *key, isc_mem_t *mctx);
 	/* conversion functions */
 	dst_result_t (*to_dns)(const dst_key_t *key, isc_buffer_t *data);
diff --git a/lib/dns/sec/dst/dst_result.c b/lib/dns/sec/dst/dst_result.c
index 755c1d46c6..d340f5196e 100644
--- a/lib/dns/sec/dst/dst_result.c
+++ b/lib/dns/sec/dst/dst_result.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1 1999/07/12 20:08:29 bwelling Exp $
+ * $Id: dst_result.c,v 1.2 1999/09/23 20:54:35 bwelling Exp $
  */
 
 #include <config.h>
@@ -47,6 +47,8 @@ static char *text[DST_R_NRESULTS] = {
         "verify init failure",			/* 12 */
 	"verify update failure",		/* 13 */
 	"verify final failure",			/* 14 */
+	"not a public key",			/* 15 */
+	"not a private key",			/* 16 */
 };
 
 #define DST_RESULT_RESULTSET			2
diff --git a/lib/dns/sec/dst/hmac_link.c b/lib/dns/sec/dst/hmac_link.c
index 28524fa758..3d8f25d018 100644
--- a/lib/dns/sec/dst/hmac_link.c
+++ b/lib/dns/sec/dst/hmac_link.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.6 1999/09/02 15:56:33 bwelling Exp $
+ * $Id: hmac_link.c,v 1.7 1999/09/23 20:54:35 bwelling Exp $
  */
 
 #include <config.h>
@@ -65,6 +65,7 @@ static isc_boolean_t	dst_hmacmd5_compare(const dst_key_t *key1,
 					    const dst_key_t *key2);
 static dst_result_t	dst_hmacmd5_generate(dst_key_t *key, int exp,
 					     isc_mem_t *mctx);
+static isc_boolean_t	dst_hmacmd5_isprivate(const dst_key_t *key);
 static void		dst_hmacmd5_destroy(void *key, isc_mem_t *mctx);
 static dst_result_t	dst_hmacmd5_to_dns(const dst_key_t *in_key,
 					   isc_buffer_t *data);
@@ -88,6 +89,7 @@ dst_s_hmacmd5_init()
 	hmacmd5_functions.verify = dst_hmacmd5_verify;
 	hmacmd5_functions.compare = dst_hmacmd5_compare;
 	hmacmd5_functions.generate = dst_hmacmd5_generate;
+	hmacmd5_functions.isprivate = dst_hmacmd5_isprivate;
 	hmacmd5_functions.destroy = dst_hmacmd5_destroy;
 	hmacmd5_functions.to_dns = dst_hmacmd5_to_dns;
 	hmacmd5_functions.from_dns = dst_hmacmd5_from_dns;
@@ -231,6 +233,19 @@ dst_hmacmd5_verify(const unsigned int mode, dst_key_t *key, void **context,
 	return (DST_R_SUCCESS);
 }
 
+/*
+ * dst_hmacmd5_isprivate
+ *	Is this a private key?  Yes
+ * Parameters
+ *	key		DST KEY structure
+ * Returns
+ *	ISC_TRUE
+ */
+isc_boolean_t
+dst_hmacmd5_isprivate(const dst_key_t *key) {
+        return (ISC_TRUE);
+}
+
 
 /*
  * dst_hmacmd5_to_dns
diff --git a/lib/dns/sec/dst/include/dst/dst.h b/lib/dns/sec/dst/include/dst/dst.h
index 0da1ca5115..49fc39e164 100644
--- a/lib/dns/sec/dst/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@@ -239,6 +239,9 @@ dst_key_flags(const dst_key_t *key);
 isc_uint16_t
 dst_key_id(const dst_key_t *key);
 
+isc_boolean_t
+dst_key_isprivate(const dst_key_t *key);
+
 /* Computes the size of a signature generated by the given key.
  *
  * Requires:
diff --git a/lib/dns/sec/dst/include/dst/result.h b/lib/dns/sec/dst/include/dst/result.h
index 2a56707846..387c895991 100644
--- a/lib/dns/sec/dst/include/dst/result.h
+++ b/lib/dns/sec/dst/include/dst/result.h
@@ -28,8 +28,10 @@ typedef unsigned int dst_result_t;
 #define DST_R_VERIFYINITFAILURE		(ISC_RESULTCLASS_DST + 12)
 #define DST_R_VERIFYUPDATEFAILURE	(ISC_RESULTCLASS_DST + 13)
 #define DST_R_VERIFYFINALFAILURE	(ISC_RESULTCLASS_DST + 14)
+#define DST_R_NOTPUBLICKEY		(ISC_RESULTCLASS_DST + 15)
+#define DST_R_NOTPRIVATEKEY		(ISC_RESULTCLASS_DST + 16)
 
-#define DST_R_NRESULTS			15	/* Number of results */
+#define DST_R_NRESULTS			17	/* Number of results */
 
 
 char *                                  dst_result_totext(dst_result_t);
diff --git a/lib/dns/sec/dst/openssl_link.c b/lib/dns/sec/dst/openssl_link.c
index c362f51039..1e2d4d6017 100644
--- a/lib/dns/sec/dst/openssl_link.c
+++ b/lib/dns/sec/dst/openssl_link.c
@@ -19,7 +19,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.6 1999/09/06 16:55:58 bwelling Exp $
+ * $Id: openssl_link.c,v 1.7 1999/09/23 20:54:36 bwelling Exp $
  */
 
 #include <config.h>
@@ -57,6 +57,7 @@ static isc_boolean_t	dst_openssl_compare(const dst_key_t *key1,
 					    const dst_key_t *key2);
 static dst_result_t	dst_openssl_generate(dst_key_t *key, int exp,
 					     isc_mem_t *mctx);
+static isc_boolean_t	dst_openssl_isprivate(const dst_key_t *key);
 static void		dst_openssl_destroy(void *key, isc_mem_t *mctx);
 static dst_result_t	dst_openssl_to_dns(const dst_key_t *in_key,
 					   isc_buffer_t *data);
@@ -84,6 +85,7 @@ dst_s_openssl_init()
 	openssl_functions.verify = dst_openssl_verify;
 	openssl_functions.compare = dst_openssl_compare;
 	openssl_functions.generate = dst_openssl_generate;
+	openssl_functions.isprivate = dst_openssl_isprivate;
 	openssl_functions.destroy = dst_openssl_destroy;
 	openssl_functions.to_dns = dst_openssl_to_dns;
 	openssl_functions.from_dns = dst_openssl_from_dns;
@@ -236,6 +238,22 @@ dst_openssl_verify(const unsigned int mode, dst_key_t *key, void **context,
 }
 
 
+/*
+ * dst_openssl_isprivate
+ *	Is this a private key?
+ * Parameters
+ *	key		DST KEY structure
+ * Returns
+ *	ISC_TRUE
+ *	ISC_FALSE
+ */
+isc_boolean_t
+dst_openssl_isprivate(const dst_key_t *key) {
+	DSA *dsa = (DSA *) key->opaque;
+        return (dsa != NULL && dsa->priv_key != NULL);
+}
+
+
 /*
  * dst_openssl_to_dns
  *	Converts key from DSA to DNS distribution format