Index: dns/Makefile
===================================================================
--- dns/Makefile
+++ dns/Makefile
@@ -42,6 +42,7 @@
     SUBDIR += dnsproxy
     SUBDIR += dnsrecon
     SUBDIR += dnsreflector
+    SUBDIR += dnssec-rr
     SUBDIR += dnstable
     SUBDIR += dnstable-convert
     SUBDIR += dnstop
Index: dns/dnssec-rr/Makefile
===================================================================
--- /dev/null
+++ dns/dnssec-rr/Makefile
@@ -0,0 +1,41 @@
+PORTNAME=	dnssec-rr
+DISTVERSION=	0.2
+CATEGORIES=	dns security
+MASTER_SITES=	https://git.sr.ht/~mcf/dnssec-rr/archive/
+DISTNAME=	${DISTVERSION}
+
+MAINTAINER=	dch@FreeBSD.org
+COMMENT=	Set of C programs for working with DNSSEC
+WWW=		https://git.sr.ht/~mcf/dnssec-rr
+
+LICENSE=	ISCL
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+LIB_DEPENDS=	libbearssl.so:security/bearssl
+
+USES=		gmake localbase:ldflags
+
+WRKSRC=		${WRKDIR}/${PORTNAME}-${DISTVERSION}
+
+PLIST_FILES=	bin/dnskey \
+		bin/ds \
+		bin/nsec \
+		bin/rrsig \
+		bin/tlsa \
+		man/man1/dnskey.1.gz \
+		man/man1/ds.1.gz \
+		man/man1/nsec.1.gz \
+		man/man1/rrsig.1.gz \
+		man/man1/tlsa.1.gz
+
+do-install:
+	${MKDIR} ${STAGEDIR}${PREFIX}/man/man1
+.for i in dnskey ds nsec rrsig tlsa
+	${GZIP_CMD} < ${WRKSRC}/$i.1 > ${WRKSRC}/$i.1.gz
+	${INSTALL_MAN} ${WRKSRC}/$i.1.gz \
+		${STAGEDIR}${PREFIX}/man/man1
+	${INSTALL_PROGRAM} ${WRKSRC}/$i \
+		${STAGEDIR}${PREFIX}/bin
+.endfor
+
+.include <bsd.port.mk>
Index: dns/dnssec-rr/distinfo
===================================================================
--- /dev/null
+++ dns/dnssec-rr/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1750499801
+SHA256 (0.2.tar.gz) = a524530322cdf6111ed74c715443ef1951cb483385cc53f8735cec4c31cf419c
+SIZE (0.2.tar.gz) = 19287
Index: dns/dnssec-rr/files/patch-Makefile
===================================================================
--- /dev/null
+++ dns/dnssec-rr/files/patch-Makefile
@@ -0,0 +1,10 @@
+--- Makefile.orig	2025-06-21 08:07:07 UTC
++++ Makefile
+@@ -1,7 +1,5 @@
+ .PHONY: all install clean
+ 
+--include config.mk
+-
+ PREFIX?=/usr/local
+ BINDIR?=$(PREFIX)/bin
+ MANDIR?=$(PREFIX)/share/man
Index: dns/dnssec-rr/files/patch-zone.c
===================================================================
--- /dev/null
+++ dns/dnssec-rr/files/patch-zone.c
@@ -0,0 +1,10 @@
+--- zone.c.orig	2025-06-21 08:09:31 UTC
++++ zone.c
+@@ -4,6 +4,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <arpa/inet.h>
++#include <sys/socket.h>
+ #include "dnssec.h"
+ 
+ struct input {
Index: dns/dnssec-rr/pkg-descr
===================================================================
--- /dev/null
+++ dns/dnssec-rr/pkg-descr
@@ -0,0 +1,9 @@
+A set of tools for working with DNSSEC, using BearSSL for cryptography.
+
+- dnskey: generate dNSKEY records from private keys
+- ds: generate dS records for parent zones
+- nsec: generate nSEC records for zones
+- rrsig: sign records in zones, generating RRSIG records
+- tlsa: generate dANE TLSA records for certificates
+
+See also https://mforney.org/blog/2020-05-21-securing-your-zone-with-dnssec-and-dane.html