diff --git a/dns/Makefile b/dns/Makefile
index bb1bcc5070ee..acf599c08636 100644
--- a/dns/Makefile
+++ b/dns/Makefile
@@ -1,247 +1,248 @@
     COMMENT = Domain Name Service tools
 
     SUBDIR += acme-dns
     SUBDIR += adns
     SUBDIR += amass
     SUBDIR += axfr2acl
     SUBDIR += bind-tools
     SUBDIR += bind9-devel
     SUBDIR += bind918
     SUBDIR += bind920
     SUBDIR += bindgraph
     SUBDIR += blocky
     SUBDIR += c-ares
     SUBDIR += cli53
     SUBDIR += coredns
     SUBDIR += ddclient
     SUBDIR += ddns
     SUBDIR += denominator
     SUBDIR += dhisd
     SUBDIR += dlint
     SUBDIR += dns-ui
     SUBDIR += dns2blackhole
     SUBDIR += dns2tcp
     SUBDIR += dnsblast
     SUBDIR += dnscap
     SUBDIR += dnscontrol
     SUBDIR += dnscrypt-proxy2
     SUBDIR += dnscrypt-wrapper
     SUBDIR += dnsdbck
     SUBDIR += dnsdbflex
     SUBDIR += dnsdbq
     SUBDIR += dnsdist
     SUBDIR += dnsenum
     SUBDIR += dnsflood
     SUBDIR += dnshistory
     SUBDIR += dnsjava
     SUBDIR += dnsjit
     SUBDIR += dnsmasq
     SUBDIR += dnsmasq-devel
     SUBDIR += dnsmax-perl
     SUBDIR += dnsperf
     SUBDIR += dnsproxy
     SUBDIR += dnsrecon
     SUBDIR += dnsreflector
+    SUBDIR += dnssec-rr
     SUBDIR += dnstable
     SUBDIR += dnstable-convert
     SUBDIR += dnstop
     SUBDIR += dnstracer
     SUBDIR += dnstracer-rs
     SUBDIR += dnsutl
     SUBDIR += dnsviz
     SUBDIR += dnswalk
     SUBDIR += dnswall
     SUBDIR += dnsx
     SUBDIR += doc
     SUBDIR += dog
     SUBDIR += doggo
     SUBDIR += doh-proxy
     SUBDIR += dq
     SUBDIR += drool
     SUBDIR += dsc
     SUBDIR += dynip
     SUBDIR += encrypted-dns-server
     SUBDIR += fastresolve
     SUBDIR += flamethrower
     SUBDIR += fpdns
     SUBDIR += gdnsd2
     SUBDIR += gdnsd3
     SUBDIR += gen6dns
     SUBDIR += getdns
     SUBDIR += godns
     SUBDIR += hesiod
     SUBDIR += hetzner_ddns
     SUBDIR += hostdb
     SUBDIR += https_dns_proxy
     SUBDIR += idnkit
     SUBDIR += idnkit2
     SUBDIR += inadyn
     SUBDIR += ipcheck
     SUBDIR += kadnode
     SUBDIR += kf5-kdnssd
     SUBDIR += kf6-kdnssd
     SUBDIR += knock
     SUBDIR += knot-resolver
     SUBDIR += knot3
     SUBDIR += ldapdns
     SUBDIR += ldns
     SUBDIR += letsdns
     SUBDIR += libbind
     SUBDIR += libidn
     SUBDIR += libidn2
     SUBDIR += libmicrodns
     SUBDIR += libnspsl
     SUBDIR += libpsl
     SUBDIR += linux-c7-libasyncns
     SUBDIR += linux-rl9-libasyncns
     SUBDIR += lua-resty-dns
     SUBDIR += luaunbound
     SUBDIR += mDNSResponder_nss
     SUBDIR += maradns
     SUBDIR += mdnsd
     SUBDIR += mosdns
     SUBDIR += namesilo_ddns
     SUBDIR += nextdns
     SUBDIR += noip
     SUBDIR += nsd
     SUBDIR += nslint
     SUBDIR += nsnotifyd
     SUBDIR += nsping
     SUBDIR += nss_mdns
     SUBDIR += nss_resinit
     SUBDIR += opendnssec2
     SUBDIR += openresolv
     SUBDIR += p5-AnyEvent-CacheDNS
     SUBDIR += p5-AnyEvent-DNS-EtcHosts
     SUBDIR += p5-App-DSC-DataTool
     SUBDIR += p5-BIND-Conf_Parser
     SUBDIR += p5-BIND-Config-Parser
     SUBDIR += p5-DNS-Config
     SUBDIR += p5-DNS-EasyDNS
     SUBDIR += p5-DNS-Ldns
     SUBDIR += p5-DNS-Zone
     SUBDIR += p5-DNS-ZoneParse
     SUBDIR += p5-DNS-nsdiff
     SUBDIR += p5-Data-Validate-Domain
     SUBDIR += p5-IO-Async-Resolver-DNS
     SUBDIR += p5-Mozilla-PublicSuffix
     SUBDIR += p5-Net-Amazon-Route53
     SUBDIR += p5-Net-Bonjour
     SUBDIR += p5-Net-DNS
     SUBDIR += p5-Net-DNS-Async
     SUBDIR += p5-Net-DNS-Check
     SUBDIR += p5-Net-DNS-Codes
     SUBDIR += p5-Net-DNS-Lite
     SUBDIR += p5-Net-DNS-Match
     SUBDIR += p5-Net-DNS-Paranoid
     SUBDIR += p5-Net-DNS-RR-SRV-Helper
     SUBDIR += p5-Net-DNS-Resolver-Mock
     SUBDIR += p5-Net-DNS-Resolver-Programmable
     SUBDIR += p5-Net-DNS-SEC
     SUBDIR += p5-Net-DNS-TestNS
     SUBDIR += p5-Net-DNS-ToolKit
     SUBDIR += p5-Net-DNS-Zone-Parser
     SUBDIR += p5-Net-DNS-ZoneFile-Fast
     SUBDIR += p5-Net-DNSBL-MultiDaemon
     SUBDIR += p5-Net-DNSBL-Statistics
     SUBDIR += p5-Net-DRI
     SUBDIR += p5-Net-Domain-ExpireDate
     SUBDIR += p5-Net-Domain-TLD
     SUBDIR += p5-Net-LibIDN
     SUBDIR += p5-Net-LibIDN2
     SUBDIR += p5-Net-Nslookup
     SUBDIR += p5-Net-RBLClient
     SUBDIR += p5-Net-RNDC
     SUBDIR += p5-POE-Component-Client-DNS
     SUBDIR += p5-POE-Component-Client-DNS-Recursive
     SUBDIR += p5-POE-Component-Client-DNSBL
     SUBDIR += p5-POE-Component-Resolver
     SUBDIR += p5-POE-Component-Server-DNS
     SUBDIR += p5-POE-Filter-DNS-TCP
     SUBDIR += p5-Tie-DNS
     SUBDIR += p5-URBL-Prepare
     SUBDIR += p5-Zonemaster-Backend
     SUBDIR += p5-Zonemaster-CLI
     SUBDIR += p5-Zonemaster-Engine
     SUBDIR += p5-Zonemaster-LDNS
     SUBDIR += packetq
     SUBDIR += pdnsd
     SUBDIR += pear-File_DNS
     SUBDIR += pear-Horde_Idna
     SUBDIR += pear-Net_DNS2
     SUBDIR += powerdns
     SUBDIR += powerdns-recursor
     SUBDIR += prometheus-dnssec-exporter
     SUBDIR += public_suffix_list
     SUBDIR += py-adns
     SUBDIR += py-aiodns
     SUBDIR += py-cloudflare
     SUBDIR += py-dns-crawler
     SUBDIR += py-dns-lexicon
     SUBDIR += py-dnslib
     SUBDIR += py-dnspython
     SUBDIR += py-dnspython1
     SUBDIR += py-easyzone
     SUBDIR += py-idna
     SUBDIR += py-ldns
     SUBDIR += py-libknot
     SUBDIR += py-localzone
     SUBDIR += py-ns1-python
     SUBDIR += py-publicsuffix
     SUBDIR += py-publicsuffix2
     SUBDIR += py-publicsuffixlist
     SUBDIR += py-py3dns
     SUBDIR += py-pybonjour
     SUBDIR += py-pycares
     SUBDIR += py-pydnstable
     SUBDIR += py-pywdns
     SUBDIR += py-tld
     SUBDIR += py-tldextract
     SUBDIR += q-dns
     SUBDIR += qmdnsengine
     SUBDIR += radns
     SUBDIR += rbldnsd
     SUBDIR += rbllookup
     SUBDIR += rbllookup-ng
     SUBDIR += rdap
     SUBDIR += renewck
     SUBDIR += rpsl2acl
     SUBDIR += rubygem-dnsruby
     SUBDIR += rubygem-gitlab-net-dns
     SUBDIR += rubygem-google-apis-dns_v1
     SUBDIR += rubygem-google-apis-dns_v1-gitlab
     SUBDIR += rubygem-google-cloud-dns
     SUBDIR += rubygem-idn-ruby
     SUBDIR += rubygem-net-dns
     SUBDIR += rubygem-public_suffix
     SUBDIR += rubygem-public_suffix_service
     SUBDIR += rubygem-resolv
     SUBDIR += rubygem-resolv-replace
     SUBDIR += rubygem-simpleidn
     SUBDIR += rubygem-simpleidn02
     SUBDIR += rubygem-validates_hostname
     SUBDIR += rubygem-validates_hostname-gitlab
     SUBDIR += rubygem-zonefile
     SUBDIR += samba-nsupdate
     SUBDIR += scavenge
     SUBDIR += sleuth
     SUBDIR += subfinder
     SUBDIR += totd
     SUBDIR += udns
     SUBDIR += unbound
     SUBDIR += utdns
     SUBDIR += vhostcname
     SUBDIR += vizone
     SUBDIR += void-zones-tools
     SUBDIR += walker
     SUBDIR += wdns
     SUBDIR += whoseip
     SUBDIR += wrapsrv
     SUBDIR += yadifa
     SUBDIR += yandex-ddns
     SUBDIR += zdns
     SUBDIR += zkt
     SUBDIR += zns
     SUBDIR += zonenotify
 
 .include <bsd.port.subdir.mk>
diff --git a/dns/dnssec-rr/Makefile b/dns/dnssec-rr/Makefile
new file mode 100644
index 000000000000..96d05c9969da
--- /dev/null
+++ b/dns/dnssec-rr/Makefile
@@ -0,0 +1,46 @@
+PORTNAME=	dnssec-rr
+DISTVERSION=	0.2
+CATEGORIES=	dns security
+MASTER_SITES=	https://git.sr.ht/~mcf/dnssec-rr/refs/download/${DISTVERSION}/
+
+MAINTAINER=	dch@FreeBSD.org
+COMMENT=	Set of C programs for working with DNSSEC
+WWW=		https://git.sr.ht/~mcf/dnssec-rr
+
+LICENSE=	ISCL
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+LIB_DEPENDS=	libbearssl.so:security/bearssl
+
+USES=		localbase:ldflags
+
+PLIST_FILES=	bin/dnskey \
+		bin/ds \
+		bin/nsec \
+		bin/rrsig \
+		bin/tlsa \
+		share/man/man1/dnskey.1.gz \
+		share/man/man1/ds.1.gz \
+		share/man/man1/nsec.1.gz \
+		share/man/man1/rrsig.1.gz \
+		share/man/man1/tlsa.1.gz
+
+PORTDOCS=	README.md
+
+OPTIONS_DEFINE=	DOCS
+
+do-install:
+	${MKDIR} ${STAGEDIR}${MANDIRS}/man1
+.for i in dnskey ds nsec rrsig tlsa
+	${INSTALL_MAN} ${WRKSRC}/$i.1 \
+		${STAGEDIR}${MANDIRS}/man1
+	${INSTALL_PROGRAM} ${WRKSRC}/$i \
+		${STAGEDIR}${PREFIX}/bin
+.endfor
+
+do-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${WRKSRC}/README.md \
+		${STAGEDIR}${DOCSDIR}
+
+.include <bsd.port.mk>
diff --git a/dns/dnssec-rr/distinfo b/dns/dnssec-rr/distinfo
new file mode 100644
index 000000000000..871b3d94cb5b
--- /dev/null
+++ b/dns/dnssec-rr/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1750592067
+SHA256 (dnssec-rr-0.2.tar.gz) = 658699a0c094ae1715c7b6bc2b638dac24f21f25c889aaf4c27359a4cf40bdaf
+SIZE (dnssec-rr-0.2.tar.gz) = 19425
diff --git a/dns/dnssec-rr/files/patch-Makefile b/dns/dnssec-rr/files/patch-Makefile
new file mode 100644
index 000000000000..94e2a03ba201
--- /dev/null
+++ b/dns/dnssec-rr/files/patch-Makefile
@@ -0,0 +1,10 @@
+--- Makefile.orig	2025-06-21 08:07:07 UTC
++++ Makefile
+@@ -1,7 +1,5 @@
+ .PHONY: all install clean
+ 
+--include config.mk
+-
+ PREFIX?=/usr/local
+ BINDIR?=$(PREFIX)/bin
+ MANDIR?=$(PREFIX)/share/man
diff --git a/dns/dnssec-rr/files/patch-zone.c b/dns/dnssec-rr/files/patch-zone.c
new file mode 100644
index 000000000000..448e52f8b919
--- /dev/null
+++ b/dns/dnssec-rr/files/patch-zone.c
@@ -0,0 +1,10 @@
+--- zone.c.orig	2025-06-21 08:09:31 UTC
++++ zone.c
+@@ -4,6 +4,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <arpa/inet.h>
++#include <sys/socket.h>
+ #include "dnssec.h"
+ 
+ struct input {
diff --git a/dns/dnssec-rr/pkg-descr b/dns/dnssec-rr/pkg-descr
new file mode 100644
index 000000000000..ff114db05955
--- /dev/null
+++ b/dns/dnssec-rr/pkg-descr
@@ -0,0 +1,9 @@
+A set of tools for working with DNSSEC, using BearSSL for cryptography.
+
+- dnskey: generate DNSKEY records from private keys
+- ds: generate DS records for parent zones
+- nsec: generate NSEC records for zones
+- rrsig: sign records in zones, generating RRSIG records
+- tlsa: generate DANE TLSA records for certificates
+
+See also https://mforney.org/blog/2020-05-21-securing-your-zone-with-dnssec-and-dane.html