diff --git a/CHANGES b/CHANGES
index 9e0b6ac455..dede533009 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3089.	[func]		dnssec-dsfromkey now supports reading keys from
+			standard input "dnssec-dsfromkey -f -". [RT# 20662]
+
 3088.	[bug]		Remove bin/tests/system/logfileconfig/ns1/named.conf
 			and add setup.sh in order to resolve changing
 			named.conf issue.  [RT #23687]
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index d21052a340..5ff00b5256 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.19 2010/12/23 04:07:59 marka Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.20 2011/03/24 02:10:23 marka Exp $ */
 
 /*! \file */
 
@@ -31,12 +31,13 @@
 #include <isc/string.h>
 #include <isc/util.h>
 
+#include <dns/callbacks.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
 #include <dns/ds.h>
 #include <dns/fixedname.h>
-#include <dns/log.h>
 #include <dns/keyvalues.h>
+#include <dns/log.h>
 #include <dns/master.h>
 #include <dns/name.h>
 #include <dns/rdata.h>
@@ -76,8 +77,28 @@ initname(char *setname) {
 	return (result);
 }
 
+static void
+db_load_from_stream(dns_db_t *db, FILE *fp) {
+	isc_result_t result;
+	dns_rdatacallbacks_t callbacks;
+
+	dns_rdatacallbacks_init(&callbacks);
+	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
+
+	result = dns_master_loadstream(fp, name, name, rdclass, 0,
+				       &callbacks, mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't load from input: %s", isc_result_totext(result));
+	
+	result = dns_db_endload(db, &callbacks.add_private);
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_db_endload failed: %s", isc_result_totext(result));
+}
+
 static isc_result_t
-loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
+loadset(const char *filename, dns_rdataset_t *rdataset) {
 	isc_result_t	 result;
 	dns_db_t	 *db = NULL;
 	dns_dbnode_t	 *node = NULL;
@@ -90,9 +111,15 @@ loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
 	if (result != ISC_R_SUCCESS)
 		fatal("can't create database");
 
-	result = dns_db_load(db, filename);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		fatal("can't load %s: %s", filename, isc_result_totext(result));
+	if (strcmp(filename, "-") == 0) {
+		db_load_from_stream(db, stdin);
+		filename = "input";
+	} else {
+		result = dns_db_load(db, filename);
+		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+			fatal("can't load %s: %s", filename,
+			      isc_result_totext(result));
+	}
 
 	result = dns_db_findnode(db, name, ISC_FALSE, &node);
 	if (result != ISC_R_SUCCESS)
@@ -141,7 +168,7 @@ loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
 		return (ISC_R_NOSPACE);
 	isc_buffer_putuint8(&buf, 0);
 
-	return (loadsetfromfile(filename, rdataset));
+	return (loadset(filename, rdataset));
 }
 
 static void
@@ -466,7 +493,7 @@ main(int argc, char **argv) {
 		if (usekeyset)
 			result = loadkeyset(dir, &rdataset);
 		else
-			result = loadsetfromfile(filename, &rdataset);
+			result = loadset(filename, &rdataset);
 
 		if (result != ISC_R_SUCCESS)
 			fatal("could not load DNSKEY set: %s\n",
diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
index d139ba5ec7..3a4a050155 100644
--- a/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-dsfromkey.docbook,v 1.12 2010/12/23 23:47:08 tbox Exp $ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.13 2011/03/24 02:10:23 marka Exp $ -->
 <refentry id="man.dnssec-dsfromkey">
   <refentryinfo>
     <date>August 26, 2009</date>
@@ -132,6 +132,15 @@
             from <option>file</option>.  If the zone name is the same as
             <option>file</option>, then it may be omitted.
           </para>
+          </para>
+            If <option>file</option> is set to <literal>"-"</literal>, then
+            the zone data is read from the standard input.  This makes it
+            possible to use the output of the <command>dig</command>
+            command as input, as in:
+          </para>
+          </para>
+            <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
+          </para>
         </listitem>
       </varlistentry>
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index b9b8c10b61..4adf74fb37 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.87 2011/03/22 00:41:53 marka Exp $
+# $Id: tests.sh,v 1.88 2011/03/24 02:10:23 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1315,5 +1315,14 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:check dnssec-dsfromkey from stdin($n)"
+ret=0
+$DIG $DIGOPTS dnskey algroll. @10.53.0.2 | \
+        $DSFROMKEY -f - algroll. > dig.out.ns2.test$n || ret=1
+diff -b dig.out.ns2.test$n ns1/dsset-algroll. > /dev/null 2>&1 || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status