diff --git a/ChangeLog b/ChangeLog
index 8d0909d..127135f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,9 +1,13 @@
+2024-11-02  David Blacka  <david@blacka.com>
+
+        * Handle I/O errors from ZoneUtils.readZoneFile() correctly (issue #19).
+
 2024-04-13  David Blacka  <david@blacka.com>
 
 	* Remove support for ECC_GOST
 	* Create a new DSAlgorithm class, move DS creation into that
 	* Add support for DS algorithms 3 and 4 -- bouncycastle crypto
-	provider used for DS algoirthm 3 (GOST R 34.11-94)
+	provider used for DS algorithm 3 (GOST R 34.11-94)
 	* Moved support for loading the bouncycastle provider to the new
 	DSAlgorithm class
 
diff --git a/VERSION b/VERSION
index 35e0a93..1395e30 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-version=0.20
+version=0.21
diff --git a/build.xml b/build.xml
index de71296..5811875 100644
--- a/build.xml
+++ b/build.xml
@@ -166,6 +166,10 @@
     </tar>
   </target>
 
+  <target name="onejar"
+          depends="build-onejar">
+  </target>
+
   <target name="dist"
          depends="bin-dist, src-dist, build-onejar, dist-clean">
   </target>
diff --git a/src/main/java/com/verisignlabs/dnssec/cl/SignKeyset.java b/src/main/java/com/verisignlabs/dnssec/cl/SignKeyset.java
index a7909fa..b0bdd45 100644
--- a/src/main/java/com/verisignlabs/dnssec/cl/SignKeyset.java
+++ b/src/main/java/com/verisignlabs/dnssec/cl/SignKeyset.java
@@ -240,7 +240,12 @@ public class SignKeyset extends CLBase {
 
   public void execute() throws Exception {
     // Read in the zone
-    List<Record> records = ZoneUtils.readZoneFile(inputfile, null);
+    List<Record> records = null;
+    try {
+      records = ZoneUtils.readZoneFile(inputfile, null);
+    } catch (java.io.IOException e) {
+      fail("Unable to read input file: " + e.getMessage());
+    }
     if (records == null || records.isEmpty()) {
       fail("empty keyset file");
     }
diff --git a/src/main/java/com/verisignlabs/dnssec/cl/SignRRset.java b/src/main/java/com/verisignlabs/dnssec/cl/SignRRset.java
index 41d0dd1..cd25a31 100644
--- a/src/main/java/com/verisignlabs/dnssec/cl/SignRRset.java
+++ b/src/main/java/com/verisignlabs/dnssec/cl/SignRRset.java
@@ -211,7 +211,12 @@ public class SignRRset extends CLBase {
 
   public void execute() throws Exception {
     // Read in the zone
-    List<Record> records = ZoneUtils.readZoneFile(inputfile, null);
+    List<Record> records = null;
+    try {
+      records = ZoneUtils.readZoneFile(inputfile, null);
+    } catch (java.io.IOException e) {
+      fail("Unable to read input file: " + e.getMessage());
+    }
     if (records == null || records.isEmpty()) {
       fail("empty RRset file");
     }
diff --git a/src/main/java/com/verisignlabs/dnssec/cl/SignZone.java b/src/main/java/com/verisignlabs/dnssec/cl/SignZone.java
index 8851f2e..d9c4044 100644
--- a/src/main/java/com/verisignlabs/dnssec/cl/SignZone.java
+++ b/src/main/java/com/verisignlabs/dnssec/cl/SignZone.java
@@ -64,7 +64,7 @@ public class SignZone extends CLBase {
   private boolean fullySignKeyset = false;
   private List<Name> includeNames = null;
   private boolean useNsec3 = false;
-  private byte[] salt = null;
+  private byte[] salt = {};
   private int iterations = 0;
   private int digestId = DNSSEC.Digest.SHA256;
   private long nsec3paramttl = -1;
@@ -161,7 +161,7 @@ public class SignZone extends CLBase {
         start = Instant.now().minusSeconds(3600);
       }
     } catch (java.text.ParseException e) {
-      fail("unable to parse start time specifiction: " + e);
+      fail("unable to parse start time specifiction: " + e.getMessage());
     }
 
     try {
@@ -172,7 +172,7 @@ public class SignZone extends CLBase {
         expire = Utils.convertDuration(start, "+2592000"); // 30 days
       }
     } catch (java.text.ParseException e) {
-      fail("missing zone file and/or key files");
+      fail("unable to parse end time specficiation: " + e.getMessage());
     }
 
     outputfile = cli.getOptionValue('f');
diff --git a/src/main/java/com/verisignlabs/dnssec/cl/VerifyZone.java b/src/main/java/com/verisignlabs/dnssec/cl/VerifyZone.java
index 91a23f4..4608f84 100644
--- a/src/main/java/com/verisignlabs/dnssec/cl/VerifyZone.java
+++ b/src/main/java/com/verisignlabs/dnssec/cl/VerifyZone.java
@@ -100,7 +100,15 @@ public class VerifyZone extends CLBase {
     zoneverifier.getVerifier().setCurrentTime(currentTime);
     zoneverifier.setIgnoreDuplicateRRs(ignoreDups);
 
-    List<Record> records = ZoneUtils.readZoneFile(zonefile, null);
+    List<Record> records = null;
+    try  {  
+      records = ZoneUtils.readZoneFile(zonefile, null);
+    } catch (java.io.IOException e) {
+      fail(e.getMessage());
+    }
+    if (records == null) {
+      fail("Unable to read a zone file");
+    }
 
     log.fine("verifying zone...");
     int errors = zoneverifier.verifyZone(records);
diff --git a/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java b/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java
index 5729197..002547a 100644
--- a/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java
+++ b/src/main/java/com/verisignlabs/dnssec/security/ZoneUtils.java
@@ -58,13 +58,10 @@ public class ZoneUtils {
    */
   public static List<Record> readZoneFile(String zonefile, Name origin) throws IOException {
     ArrayList<Record> records = new ArrayList<>();
-    try (Master m = zonefile.equals("-") ? new Master(System.in) : new Master(zonefile, origin)) {
-      Record r = null;
-      while ((r = m.nextRecord()) != null) {
-        records.add(r);
-      }
-    } catch (IOException e) {
-      e.printStackTrace();
+    Master m = zonefile.equals("-") ? new Master(System.in) : new Master(zonefile, origin);
+    Record r = null;
+    while ((r = m.nextRecord()) != null) {
+      records.add(r);
     }
 
     return records;