diff --git a/files/dnssec-init b/files/dnssec-init
new file mode 100644
index 0000000..9f812dd
--- /dev/null
+++ b/files/dnssec-init
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+CACHEDIR="$1"
+NAME="$2"
+DOMAIN="$3"
+PATH=/bin:/sbin:/usr/bin:/usr/sbin
+dnssec-keygen -K "${CACHEDIR}/${NAME}" "${DOMAIN}"
+dnssec-keygen -f KSK -K "${CACHEDIR}/${NAME}" "${DOMAIN}"
+dnssec-signzone -S -d "${CACHEDIR}" -K "${CACHEDIR}/${NAME}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
diff --git a/manifests/init.pp b/manifests/init.pp
index 32ac633..f7c1d6d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -13,6 +13,16 @@ class bind (
 		ensure => latest,
 	}
 
+	if $dnssec {
+		file { '/usr/local/bin/dnssec-init':
+			ensure => present,
+			owner  => 'root',
+			group  => 'root',
+			mode   => '0755',
+			source => 'puppet:///modules/bind/dnssec-init',
+		}
+	}
+
 	service { $bind::params::bind_service:
 		ensure     => running,
 		enable     => true,
diff --git a/manifests/zone.pp b/manifests/zone.pp
index 657f4df..d93de12 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -4,27 +4,58 @@ define bind::zone (
 	$masters         = [],
 	$allow_updates   = [],
 	$allow_transfers = [],
+	$dnssec          = false,
 ) {
+	$cachedir = $bind::cachedir
+
 	if $domain == '' {
 		$_domain = $name
 	} else {
 		$_domain = $domain
 	}
 
-	case $zone_type {
-		'forward': {
-			$file = ''
+	$has_zone_file = $zone_type ? {
+		'master' => true,
+		'slave' => true,
+		'hint' => true,
+		'stub' => true,
+		default => false,
+	}
+
+	if $has_zone_file {
+		file { "${cachedir}/${name}":
+			ensure  => directory,
+			owner   => $bind::params::bind_user,
+			group   => $bind::params::bind_group,
+			mode    => '0755',
+			require => Package[$bind::params::bind_package],
 		}
-		default: {
-			$file = "${bind::cachedir}/${name}"
-			file { $file:
-				ensure  => present,
-				owner   => 'root',
-				group   => $bind::params::bind_group,
-				mode    => '0644',
-				replace => false,
-				source  => 'puppet:///modules/bind/db.empty',
-				require => Package[$bind::params::bind_package],
+
+		file { "${cachedir}/${name}/${_domain}":
+			ensure  => present,
+			owner   => $bind::params::bind_user,
+			group   => $bind::params::bind_group,
+			mode    => '0644',
+			replace => false,
+			source  => 'puppet:///modules/bind/db.empty',
+			audit   => [ content ],
+		}
+
+		if $dnssec {
+			exec { "dnssec-keygen-${_domain}":
+				command => "/usr/local/bin/dnssec-init ${cachedir} ${name} ${_domain}",
+				cwd     => $cachedir,
+				user    => $bind::params::bind_user,
+				creates => "${cachedir}/${name}/${_domain}.signed",
+				timeout => 0, # crypto is hard
+				require => [ File['/usr/local/bin/dnssec-init'], File["${cachedir}/${name}/${_domain}"] ],
+			}
+
+			file { "${cachedir}/${name}/${_domain}.signed":
+				owner => $bind::params::bind_user,
+				group => $bind::params::bind_group,
+				mode  => '0644',
+				audit => [ content ],
 			}
 		}
 	}
diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb
index 3dd21c9..5153571 100644
--- a/templates/zone.conf.erb
+++ b/templates/zone.conf.erb
@@ -2,8 +2,14 @@
 # This file managed by puppet - changes will be lost
 zone "<%= _domain %>" {
 	type <%= zone_type %>;
-<%- if file != '' -%>
-	file "<%= file %>";
+<%- if has_zone_file -%>
+<%-   if dnssec -%>
+	auto-dnssec maintain;
+	key-directory "<%= cachedir %>/<%= name %>";
+	file "<%= cachedir %>/<%= name %>/<%= _domain %>.signed";
+<%-   else -%>
+	file "<%= cachedir %>/<%= name %>/<%= _domain %>";
+<%-   end -%>
 <%- end -%>
 <%- if not masters.empty? -%>
 	masters {