diff --git a/CHANGES b/CHANGES
index 64c178049f..b680f062ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
+			reading from a K* files.  [RT #19357]
+
 2558.	[func]		Set the ownership of missing directories created
 			for pid-file if -u has been specified on the command
 			line. [RT #19328]
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index d3d1d06f4e..6401a0002d 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.2 2008/11/07 02:28:49 marka Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.3 2009/02/17 00:16:45 marka Exp $ */
 
 /*! \file */
 
@@ -111,18 +111,18 @@ loadkeys(char *dirname, char *setname)
 }
 
 static void
-loadkey(char *filename, dns_rdata_t *rdata)
+loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
+	dns_rdata_t *rdata)
 {
 	isc_result_t  result;
 	dst_key_t     *key = NULL;
-	unsigned char key_buf[DST_KEY_MAXSIZE];
 	isc_buffer_t  keyb;
 	isc_region_t  r;
 
 	dns_rdataset_init(&keyset);
 	dns_rdata_init(rdata);
 
-	isc_buffer_init(&keyb, key_buf, sizeof(key_buf));
+	isc_buffer_init(&keyb, key_buf, key_buf_size);
 
 	result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
 	if (result != ISC_R_SUCCESS)
@@ -360,7 +360,10 @@ main(int argc, char **argv) {
 				emitds(dtype, &rdata);
 		}
 	} else {
-		loadkey(argv[isc_commandline_index], &rdata);
+		unsigned char key_buf[DST_KEY_MAXSIZE];
+
+		loadkey(argv[isc_commandline_index], key_buf,
+			DST_KEY_MAXSIZE, &rdata);
 
 		if (both) {
 			emitds(DNS_DSDIGEST_SHA1, &rdata);