diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 6a2e018517..884537c2e4 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -2372,20 +2372,31 @@ dst_key_is_unused(dst_key_t *key) {
 	return (true);
 }
 
-static void
-get_ksk_zsk(dst_key_t *key, bool *ksk, bool *zsk) {
+isc_result_t
+dst_key_role(dst_key_t *key, bool *ksk, bool *zsk) {
 	bool k = false, z = false;
+	isc_result_t result, ret = ISC_R_SUCCESS;
 
-	if (dst_key_getbool(key, DST_BOOL_KSK, &k) == ISC_R_SUCCESS) {
-		*ksk = k;
-	} else {
-		*ksk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) != 0);
+	if (ksk != NULL) {
+		result = dst_key_getbool(key, DST_BOOL_KSK, &k);
+		if (result == ISC_R_SUCCESS) {
+			*ksk = k;
+		} else {
+			*ksk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) != 0);
+			ret = result;
+		}
 	}
-	if (dst_key_getbool(key, DST_BOOL_ZSK, &z) == ISC_R_SUCCESS) {
-		*zsk = z;
-	} else {
-		*zsk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0);
+
+	if (zsk != NULL) {
+		result = dst_key_getbool(key, DST_BOOL_ZSK, &z);
+		if (result == ISC_R_SUCCESS) {
+			*zsk = z;
+		} else {
+			*zsk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0);
+			ret = result;
+		}
 	}
+	return (ret);
 }
 
 /* Hints on key whether it can be published and/or used for signing. */
@@ -2444,7 +2455,7 @@ dst_key_is_active(dst_key_t *key, isc_stdtime_t now) {
 		time_ok = (when <= now);
 	}
 
-	get_ksk_zsk(key, &ksk, &zsk);
+	(void)dst_key_role(key, &ksk, &zsk);
 
 	/* Check key states:
 	 * KSK: If the DS is RUMOURED or OMNIPRESENT the key is considered
@@ -2505,7 +2516,7 @@ dst_key_is_signing(dst_key_t *key, int role, isc_stdtime_t now,
 		time_ok = (when <= now);
 	}
 
-	get_ksk_zsk(key, &ksk, &zsk);
+	(void)dst_key_role(key, &ksk, &zsk);
 
 	/* Check key states:
 	 * If the RRSIG state is RUMOURED or OMNIPRESENT, it means the key
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index f219aa8e31..2f9877be43 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1180,6 +1180,15 @@ dst_key_goal(dst_key_t *key);
  *	'key' to be valid.
  */
 
+isc_result_t
+dst_key_role(dst_key_t *key, bool *ksk, bool *zsk);
+/*%<
+ * Get the key role. A key can have the KSK or the ZSK role, or both.
+ *
+ * Requires:
+ *	'key' to be valid.
+ */
+
 void
 dst_key_copy_metadata(dst_key_t *to, dst_key_t *from);
 /*%<