diff --git a/bin/dnssec/dnssec-makekeyset.c b/bin/dnssec/dnssec-makekeyset.c
index 189e052203..ae8bab29ef 100644
--- a/bin/dnssec/dnssec-makekeyset.c
+++ b/bin/dnssec/dnssec-makekeyset.c
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-makekeyset.c,v 1.49 2001/03/27 22:08:36 bwelling Exp $ */
+/* $Id: dnssec-makekeyset.c,v 1.50 2001/03/27 22:57:40 bwelling Exp $ */
 
 #include <config.h>
 
@@ -262,10 +262,10 @@ main(int argc, char *argv[]) {
 		dns_name_downcase(dst_key_name(key),
 				  dns_fixedname_name(&fname),
 				  NULL);
-		result = dns_name_totext(dns_fixedname_name(&fname),
-					 ISC_FALSE,
-					 &namebuf);
-		check_result(result, "dns_name_totext");
+		result = dns_name_tofilenametext(dns_fixedname_name(&fname),
+						 ISC_FALSE,
+						 &namebuf);
+		check_result(result, "dns_name_tofilenametext");
 		isc_buffer_putuint8(&namebuf, 0);
 		
 		if (savedname == NULL) {
@@ -298,13 +298,7 @@ main(int argc, char *argv[]) {
 		if (domain == NULL) {
 			dns_fixedname_init(&fdomain);
 			domain = dns_fixedname_name(&fdomain);
-			isc_buffer_init(&b, namestr, strlen(namestr));
-			isc_buffer_add(&b, strlen(namestr));
-			result = dns_name_fromtext(domain, &b, dns_rootname,
-						   ISC_FALSE, NULL);
-			if (result != ISC_R_SUCCESS)
-				fatal("%s is not a valid name: %s",
-				      namestr, isc_result_totext(result));
+			dns_name_copy(dst_key_name(key), domain, NULL);
 		}
 		if (dst_key_iszonekey(key)) {
 			dst_key_t *zonekey = NULL;
diff --git a/bin/dnssec/dnssec-signkey.c b/bin/dnssec/dnssec-signkey.c
index 804721d023..50f7732808 100644
--- a/bin/dnssec/dnssec-signkey.c
+++ b/bin/dnssec/dnssec-signkey.c
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signkey.c,v 1.48 2001/03/27 22:08:37 bwelling Exp $ */
+/* $Id: dnssec-signkey.c,v 1.49 2001/03/27 22:57:41 bwelling Exp $ */
 
 #include <config.h>
 
@@ -30,6 +30,7 @@
 #include <isc/util.h>
 
 #include <dns/db.h>
+#include <dns/dbiterator.h>
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
@@ -37,6 +38,7 @@
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
 #include <dns/rdatastruct.h>
 #include <dns/result.h>
 #include <dns/secalg.h>
@@ -161,6 +163,8 @@ main(int argc, char *argv[]) {
 	dns_db_t *db;
 	dns_dbnode_t *node;
 	dns_dbversion_t *version;
+	dns_dbiterator_t *dbiter;
+	dns_rdatasetiter_t *rdsiter;
 	dst_key_t *key = NULL;
 	dns_rdata_t *rdata;
 	dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -169,7 +173,6 @@ main(int argc, char *argv[]) {
 	dns_rdata_sig_t sig;
 	isc_result_t result;
 	isc_buffer_t b;
-	isc_region_t r;
 	isc_textregion_t tr;
 	isc_log_t *log = NULL;
 	keynode_t *keynode;
@@ -257,27 +260,6 @@ main(int argc, char *argv[]) {
 	if (strlen(argv[0]) < 8 || strncmp(argv[0], "keyset-", 7) != 0)
 		fatal("keyset file '%s' must start with keyset-", argv[0]);
 
-	dns_fixedname_init(&fdomain);
-	domain = dns_fixedname_name(&fdomain);
-	isc_buffer_init(&b, argv[0] + strlen("keyset-"),
-			strlen(argv[0]) - strlen("keyset-"));
-	isc_buffer_add(&b, strlen(argv[0]) - strlen("keyset-"));
-	result = dns_name_fromtext(domain, &b, dns_rootname, ISC_TRUE, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("'%s' does not contain a valid domain name", argv[0]);
-	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
-	result = dns_name_totext(domain, ISC_FALSE, &b);
-	check_result(result, "dns_name_totext()");
-	isc_buffer_usedregion(&b, &r);
-	tdomain[r.length] = 0;
-
-	output = isc_mem_allocate(mctx,
-				  strlen("signedkey-") + strlen(tdomain) + 1);
-	if (output == NULL)
-		fatal("out of memory");
-	strcpy(output, "signedkey-");
-	strcat(output, tdomain);
-
 	db = NULL;
 	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
 			       rdclass, 0, NULL, &db);
@@ -288,18 +270,47 @@ main(int argc, char *argv[]) {
 		fatal("failed to load database from '%s': %s", argv[0],
 		      isc_result_totext(result));
 
+	dns_fixedname_init(&fdomain);
+	domain = dns_fixedname_name(&fdomain);
+
+	dbiter = NULL;
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+	while (result == ISC_R_SUCCESS) {
+		node = NULL;
+		dns_dbiterator_current(dbiter, &node, domain);
+		rdsiter = NULL;
+		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
+		check_result(result, "dns_db_allrdatasets()");
+		result = dns_rdatasetiter_first(rdsiter);
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result == ISC_R_SUCCESS)
+			break;
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiter);
+	}
+	dns_dbiterator_destroy(&dbiter);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find data in keyset file");
+
+	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
+	result = dns_name_tofilenametext(domain, ISC_FALSE, &b);
+	check_result(result, "dns_name_tofilenametext()");
+	isc_buffer_putuint8(&b, 0);
+
+	output = isc_mem_allocate(mctx,
+				  strlen("signedkey-") + strlen(tdomain) + 1);
+	if (output == NULL)
+		fatal("out of memory");
+	strcpy(output, "signedkey-");
+	strcat(output, tdomain);
+
 	version = NULL;
 	dns_db_newversion(db, &version);
 
-	node = NULL;
-	result = dns_db_findnode(db, domain, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS) {
-		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof domainstr);
-		fatal("failed to find database node '%s': %s",
-		      domainstr, isc_result_totext(result));
-	}
-
 	dns_rdataset_init(&rdataset);
 	dns_rdataset_init(&sigrdataset);
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_key, 0,
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 50b2907b08..1e87bdb6c0 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -17,7 +17,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.131 2001/03/27 22:08:39 bwelling Exp $ */
+/* $Id: dnssec-signzone.c,v 1.132 2001/03/27 22:57:43 bwelling Exp $ */
 
 #include <config.h>
 
@@ -519,8 +519,9 @@ opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
 	isc_buffer_putstr(&b, prefix);
 	dns_fixedname_init(&fname);
 	(void)dns_name_downcase(name, dns_fixedname_name(&fname), NULL);
-	result = dns_name_totext(dns_fixedname_name(&fname), ISC_FALSE, &b);
-	check_result(result, "dns_name_totext()");
+	result = dns_name_tofilenametext(dns_fixedname_name(&fname),
+					 ISC_FALSE, &b);
+	check_result(result, "dns_name_tofilenametext()");
 	if (isc_buffer_availablelength(&b) == 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof namestr);
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 5b25e6e2e8..c2a966b848 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.91 2001/02/19 08:54:54 halley Exp $ */
+/* $Id: name.h,v 1.92 2001/03/27 22:57:47 bwelling Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -914,6 +914,36 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
  *   dot terminating each label = 1004 bytes total.
  */
 
+isc_result_t
+dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
+			isc_buffer_t *target);
+/*
+ * Convert 'name' into an alternate text format appropriate for filenames,
+ * storing the result in 'target'.
+ *
+ * Notes:
+ *	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *	'name' is a valid absolute name
+ *
+ *	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ */
+
 isc_result_t
 dns_name_downcase(dns_name_t *source, dns_name_t *name,
 		  isc_buffer_t *target);
diff --git a/lib/dns/name.c b/lib/dns/name.c
index bdcbb94af3..b998d804ae 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.121 2001/02/13 00:07:25 bwelling Exp $ */
+/* $Id: name.c,v 1.122 2001/03/27 22:57:45 bwelling Exp $ */
 
 #include <config.h>
 
@@ -1861,6 +1861,157 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
+			isc_buffer_t *target)
+{
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int bytes, nibbles;
+	size_t i, len;
+	unsigned int labels;
+	char num[4];
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		omit_final_dot = ISC_FALSE;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0)
+			break;
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				if ((c >= 0x30 && c <= 0x39) || /* digit */
+				    (c >= 0x41 && c <= 0x5A) ||	/* uppercase */
+				    (c >= 0x61 && c <= 0x7A) || /* lowercase */
+				    c == 0x2D ||		/* hyphen */
+				    c == 0x5F)			/* underscore */
+				{
+					if (trem == 0)
+						return (ISC_R_NOSPACE);
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem--;
+					nlen--;
+				} else {
+					if (trem < 3)
+						return (ISC_R_NOSPACE);
+					sprintf(tdata, "%%%02X", c);
+					tdata += 3;
+					trem -= 3;
+					ndata++;
+					nlen--;
+				}
+				count--;
+			}
+		} else if (count == DNS_LABELTYPE_BITSTRING) {
+			if (trem < 3)
+				return (ISC_R_NOSPACE);
+			*tdata++ = '%';
+			*tdata++ = 'x';
+			trem -= 2;
+			INSIST(nlen > 0);
+			count = *ndata++;
+			if (count == 0)
+				count = 256;
+			nlen--;
+			len = sprintf(num, "%u", count);	/* XXX */
+			INSIST(len <= 4);
+			bytes = count / 8;
+			if (count % 8 != 0)
+				bytes++;
+			INSIST(nlen >= bytes);
+			nibbles = count / 4;
+			if (count % 4 != 0)
+				nibbles++;
+			if (trem < nibbles)
+				return (ISC_R_NOSPACE);
+			trem -= nibbles;
+			nlen -= bytes;
+			while (nibbles > 0) {
+				c = *ndata++;
+				*tdata++ = hexdigits[(c >> 4)];
+				nibbles--;
+				if (nibbles != 0) {
+					*tdata++ = hexdigits[c & 0xf];
+					i++;
+					nibbles--;
+				}
+			}
+			if (trem < 2 + len)
+				return (ISC_R_NOSPACE);
+			*tdata++ = '%';
+			for (i = 0; i < len; i++)
+				*tdata++ = num[i];
+			*tdata++ = '%';
+			trem -= 2 + len;
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* NOTREACHED */
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0)
+		return (ISC_R_NOSPACE);
+
+	if (omit_final_dot)
+		trem++;
+
+	isc_buffer_add(target, tlen - trem);
+
+	return (ISC_R_SUCCESS);
+}
+
 isc_result_t
 dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
 	unsigned char *sndata, *ndata;
diff --git a/lib/dns/sec/dst/dst_api.c b/lib/dns/sec/dst/dst_api.c
index 300f8ed54b..1caf3bb530 100644
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -19,7 +19,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.74 2001/02/14 20:26:46 bwelling Exp $
+ * $Id: dst_api.c,v 1.75 2001/03/27 22:57:48 bwelling Exp $
  */
 
 #include <config.h>
@@ -937,6 +937,7 @@ buildfilename(dns_name_t *name, const dns_keytag_t id,
 	const char *suffix = "";
 	unsigned int len;
 	isc_result_t result;
+	dns_fixedname_t fname;
 
 	REQUIRE(out != NULL);
 	if ((type & DST_TYPE_PRIVATE) != 0)
@@ -953,8 +954,11 @@ buildfilename(dns_name_t *name, const dns_keytag_t id,
 	}
 	if (isc_buffer_availablelength(out) < 1)
 		return (ISC_R_NOSPACE);
+	dns_fixedname_init(&fname);
+	(void)dns_name_downcase(name, dns_fixedname_name(&fname), NULL);
 	isc_buffer_putstr(out, "K");
-	result = dns_name_totext(name, ISC_FALSE, out);
+	result = dns_name_tofilenametext(dns_fixedname_name(&fname),
+					 ISC_FALSE, out);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;