diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c
index 8321ee3ab0..4ea338d3b2 100644
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.11 1999/09/27 16:55:44 bwelling Exp $
+ * $Id: dst_api.c,v 1.12 1999/10/05 15:08:52 bwelling Exp $
  */
 
 #include <config.h>
@@ -686,6 +686,35 @@ dst_sig_size(const dst_key_t *key) {
 		case DST_ALG_HMACSHA1:
 			return (20);
 		case DST_ALG_DH:
+			return (-1);
+		default:
+			REQUIRE(ISC_FALSE);
+			return (-1);
+	}
+}
+
+/*
+ * dst_secret_size
+ *	Computes the maximum size of a shared secret generated by the given key
+ * Parameters
+ *	key	The DST key
+ * Returns
+ *	n 	The number of bytes necessary to hold the shared secret
+ */
+int
+dst_secret_size(const dst_key_t *key) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(dst_supported_algorithm(key->key_alg) == ISC_TRUE);
+
+	switch (key->key_alg) {
+		case DST_ALG_RSA:
+		case DST_ALG_DSA:
+		case DST_ALG_HMACMD5:
+		case DST_ALG_HMACSHA1:
+			return (-1);
+		case DST_ALG_DH:
+			return (key->key_size + 7) / 8;
 		default:
 			REQUIRE(ISC_FALSE);
 			return (-1);
diff --git a/lib/dns/sec/dst/include/dst/dst.h b/lib/dns/sec/dst/include/dst/dst.h
index d1546bedf8..0a4cc15080 100644
--- a/lib/dns/sec/dst/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@@ -271,10 +271,26 @@ dst_key_isprivate(const dst_key_t *key);
  *
  * Requires:
  *	"key" is a valid key.
+ *
+ * Returns:
+ *	n	The size of the signature
+ *	-1	The key's algorithm does not support signatures
  */
 int
 dst_sig_size(const dst_key_t *key);
 
+/* Computes the size of a shared secret generated by the given key.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *
+ * Returns:
+ *	n	The size of the secret
+ *	-1	The key's algorithm does not support shared secrets
+ */
+int
+dst_secret_size(const dst_key_t *key);
+
 /* Generate random data.
  *
  * Requires: