diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index aa31469f9a..3c890112c3 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -38,6 +38,7 @@
 
 #include <dns/keyvalues.h>
 #include <dns/result.h>
+#include <dns/log.h>
 
 #include <dst/dst.h>
 
@@ -153,6 +154,7 @@ main(int argc, char **argv) {
 	isc_boolean_t	force = ISC_FALSE;
 	isc_boolean_t   epoch = ISC_FALSE;
 	isc_boolean_t   changed = ISC_FALSE;
+	isc_log_t       *log = NULL;
 
 	if (argc == 1)
 		usage();
@@ -161,6 +163,8 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("Out of memory");
 
+	setup_logging(verbose, mctx, &log);
+
 	dns_result_register();
 
 	isc_commandline_errprint = ISC_FALSE;
@@ -593,6 +597,7 @@ main(int argc, char **argv) {
 	cleanup_entropy(&ectx);
 	if (verbose > 10)
 		isc_mem_stats(mctx, stdout);
+	cleanup_logging(&log);
 	isc_mem_free(mctx, directory);
 	isc_mem_destroy(&mctx);
 
diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh
index 8994b8bd08..b764060b50 100644
--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@@ -134,7 +134,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
-echo "I:checking update of an old-style key"
+echo "I:checking update of an old-style key ($n)"
 ret=0
 # printing metadata should not work with an old-style key
 $SETTIME -pall `cat oldstyle.key` > /dev/null 2>&1 && ret=1
@@ -145,5 +145,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking warning about permissions change on key with dnssec-settime ($n)"
+ret=0
+# settime should print a warning about changing the permissions
+chmod 644 `cat oldstyle.key`.private
+$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 || ret=1
+$SETTIME -P none `cat oldstyle.key` > tmp.out 2>&1 || ret=1
+grep "warning" tmp.out > /dev/null 2>&1 && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index fab0edc05f..12822bedf2 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -56,6 +56,7 @@
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
+#include <isc/file.h>
 
 #define DST_KEY_INTERNAL
 
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 66af765161..e406d5c491 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -44,8 +44,10 @@
 #include <isc/stdtime.h>
 #include <isc/string.h>
 #include <isc/util.h>
+#include <isc/file.h>
 
 #include <dns/time.h>
+#include <dns/log.h>
 
 #include "dst_internal.h"
 #include "dst_parse.h"
@@ -557,7 +559,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 			  const char *directory)
 {
 	FILE *fp;
-	int ret, i;
 	isc_result_t result;
 	char filename[ISC_DIR_NAMEMAX];
 	char buffer[MAXFIELDSIZE * 2];
@@ -567,6 +568,8 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	isc_buffer_t b;
 	isc_region_t r;
 	int major, minor;
+	mode_t mode;
+	int i;
 
 	REQUIRE(priv != NULL);
 
@@ -581,6 +584,17 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	result = isc_file_mode(filename, &mode);
+	if (result == ISC_R_SUCCESS && mode != 0600) {
+		/* File exists; warn that we are changing its permissions */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
+			      "Permissions on the file %s "
+			      "have changed from 0%o to 0600 as "
+			      "a result of this operation.",
+			      filename, mode);
+	}
+
 	if ((fp = fopen(filename, "w")) == NULL)
 		return (DST_R_WRITEERROR);
 
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
index 9f98f4c373..04c10c2e66 100644
--- a/lib/isc/include/isc/file.h
+++ b/lib/isc/include/isc/file.h
@@ -32,6 +32,9 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 isc_file_settime(const char *file, isc_time_t *time);
 
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep);
+
 isc_result_t
 isc_file_getmodtime(const char *file, isc_time_t *time);
 /*!<
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
index 2ad65f714c..31fd49ddcb 100644
--- a/lib/isc/unix/file.c
+++ b/lib/isc/unix/file.c
@@ -128,6 +128,20 @@ isc_file_getsizefd(int fd, off_t *size) {
 	return (result);
 }
 
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS)
+		*modep = (stats.st_mode & 07777);
+
+	return (result);
+}
+
 isc_result_t
 isc_file_getmodtime(const char *file, isc_time_t *time) {
 	isc_result_t result;
diff --git a/lib/isc/win32/file.c b/lib/isc/win32/file.c
index 5461395607..9bc8d49090 100644
--- a/lib/isc/win32/file.c
+++ b/lib/isc/win32/file.c
@@ -158,7 +158,19 @@ isc_file_getsizefd(int fd, off_t *size) {
 
 	if (result == ISC_R_SUCCESS)
 		*size = stats.st_size;
+	return (result);
+}
 
+isc_result_t
+isc_file_mode(const char *file, mode_t *modep) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(modep != NULL);
+
+	result = file_stats(file, &stats);
+	if (result == ISC_R_SUCCESS)
+		*modep = (stats.st_mode & 07777);
 	return (result);
 }