diff --git a/CHANGES b/CHANGES
index 086a6ad0b1..cf41bef0b9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+2707.	[func]		dnssec-keyfromlabel no longer require engine name
+			to be specified in the label if there is a default
+			engine or the -E option has been used.  Also, it
+			now uses default algorithms as dnssec-keygen does
+			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
+			[RT #20371]
+
 2706.	[bug]		Loading a zone with a very large NSEC3 salt could
 			trigger an assert. [RT #20368]
 
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 556082230a..a08aacc6f4 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.19 2009/10/06 22:58:45 each Exp $ */
 
 /*! \file */
 
@@ -48,6 +48,9 @@
 const char *program = "dnssec-keyfromlabel";
 int verbose;
 
+#define DEFAULT_ALGORITHM "RSASHA1"
+#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
+
 static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
 			  " NSEC3DSA | NSEC3RSASHA1";
 
@@ -57,22 +60,22 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -l label [options] name\n\n",
+	fprintf(stderr, "    %s -l label [options] name\n\n",
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "    -l label: label of the key pair\n");
-#ifdef USE_PKCS11
-	fprintf(stderr, "      (for instance \"pkcs11:foo\"\n");
-#else
-	fprintf(stderr, "    -E enginename\n");
-#endif
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "       (default: RSASHA1, or "
+			       "NSEC3RSASHA1 if using -3)\n");
+	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 #ifdef USE_PKCS11
 	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
+#else
+	fprintf(stderr, "    -E enginename\n");
 #endif
 	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
@@ -140,6 +143,7 @@ main(int argc, char **argv) {
 	isc_boolean_t	unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
 	isc_boolean_t	unsetdel = ISC_FALSE;
 	isc_boolean_t	genonly = ISC_FALSE;
+	isc_boolean_t	use_nsec3 = ISC_FALSE;
 
 	if (argc == 1)
 		usage();
@@ -153,9 +157,12 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+				"3a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
+		case '3':
+			use_nsec3 = ISC_TRUE;
+			break;
 		case 'a':
 			algname = isc_commandline_argument;
 			break;
@@ -301,8 +308,27 @@ main(int argc, char **argv) {
 	if (argc > isc_commandline_index + 1)
 		fatal("extraneous arguments");
 
-	if (algname == NULL)
-		fatal("no algorithm was specified");
+	if (strchr(label, ':') == NULL &&
+	    engine != NULL && strlen(engine) != 0) {
+		char *l;
+		int len;
+
+		len = strlen(label) + strlen(engine) + 2;
+		l = isc_mem_get(mctx, len);
+		snprintf(l, len, "%s:%s", engine, label);
+		label = l;
+	}
+
+	if (algname == NULL) {
+		if (use_nsec3)
+			algname = strdup(DEFAULT_NSEC3_ALGORITHM);
+		else
+			algname = strdup(DEFAULT_ALGORITHM);
+		if (verbose > 0)
+			fprintf(stderr, "no algorithm specified; "
+				"defaulting to %s\n", algname);
+	}
+
 	if (strcasecmp(algname, "RSA") == 0) {
 		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
 				"If you still wish to use RSA (RSAMD5) please "
@@ -318,6 +344,12 @@ main(int argc, char **argv) {
 			options |= DST_TYPE_KEY;
 	}
 
+	if (use_nsec3 &&
+	    alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1) {
+		fatal("%s is incompatible with NSEC3; "
+		      "do not use the -3 option", algname);
+	}
+
 	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
 		if (strcasecmp(type, "NOAUTH") == 0)
 			flags |= DNS_KEYTYPE_NOAUTH;
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index b80e0b1cae..1b576acad1 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.11 2009/10/05 17:30:49 fdupont Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.12 2009/10/06 22:58:45 each Exp $ -->
 <refentry id="man.dnssec-keyfromlabel">
   <refentryinfo>
     <date>February 8, 2008</date>
@@ -45,8 +45,9 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>dnssec-keyfromlabel</command>
-      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
       <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+      <arg><option>-3</option></arg>
+      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
       <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -93,6 +94,11 @@
 	    RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
 	    These values are case insensitive.
 	  </para>
+          <para>
+            If no algorithm is specified, then RSASHA1 will be used by
+            default, unless the <option>-3</option> option is specified,
+            in which case NSEC3RSASHA1 will be used instead.
+          </para>
           <para>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
             algorithm, and DSA is recommended.
@@ -103,12 +109,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-3</term>
+        <listitem>
+          <para>
+	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
+            If this option is used and no algorithm is explicitly
+            set on the command line, NSEC3RSASHA1 will be used by
+            default.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-E <replaceable class="parameter">engine</replaceable></term>
         <listitem>
           <para>
             Specifies the name of the crypto hardware (OpenSSL engine).
-            When compiled with PKCS#11 support it defaults to pcks11.
+            When compiled with PKCS#11 support it defaults to "pcks11".
           </para>
         </listitem>
       </varlistentry>
@@ -117,9 +135,9 @@
         <term>-l <replaceable class="parameter">label</replaceable></term>
         <listitem>
           <para>
-            Specifies the label of keys in the crypto hardware (OpenSSL
-            engine). An example for the pkcs11 engine is pkcs11:foo
-            (note the string pkcs11 is in both E and l options.)
+            Specifies the label of the key pair in the crypto hardware.
+            The label may be preceded by an optional OpenSSL engine name,
+            separated by a colon, as in "pkcs11:keylabel".
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index d1a4efa345..da7f99c238 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-keygen.c,v 1.100 2009/10/06 22:58:45 each Exp $ */
 
 /*! \file */
 
@@ -66,8 +66,6 @@ int verbose;
 #define DEFAULT_ALGORITHM "RSASHA1"
 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
 
-#define DEFAULT_ALGORITHM "RSASHA1"
-
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));