diff --git a/authoritative-dns.nix b/authoritative-dns.nix
index e697f82..04fb8ea 100644
--- a/authoritative-dns.nix
+++ b/authoritative-dns.nix
@@ -102,11 +102,13 @@ in {
               inherit (domainCfg) zone;
             };
           }) cfg.domains;
-        reverseZones = concatMapAttrs (domain: domainOpts:
+        reverseZones = concatMapAttrs (domain:
+          { ksk, zone, ... }:
           listToAttrs (map (network:
             reverseZonefile {
-              inherit domain network;
-              inherit (domainOpts.zone) nameservers;
+              inherit domain network ksk;
+              inherit (zone) nameservers;
+              keyFile = ksk.key-file;
               ipHostMap = cfg.ip-host-map;
               serial = cfg.timestamp;
             }) domainOpts.reverse-zones)) cfg.domains;
diff --git a/reverse-zone.nix b/reverse-zone.nix
index f2c1dde..2490813 100644
--- a/reverse-zone.nix
+++ b/reverse-zone.nix
@@ -1,7 +1,8 @@
 { pkgs, ... }:
 
-{ domain, network, nameservers, ipHostMap, serial, zoneTTL ? 10800
-, refresh ? 3600, retry ? 1800, expire ? 604800, minimum ? 3600 }:
+{ domain, network, nameservers, ipHostMap, serial, keyFile ? null
+, zoneTTL ? 10800, refresh ? 3600, retry ? 1800, expire ? 604800, minimum ? 3600
+}:
 
 with pkgs.lib;
 let
@@ -47,16 +48,21 @@ let
 
   nameserverEntries = map (nameserver: "@ IN NS ${nameserver}.") nameservers;
 
-in nameValuePair "${getNetworkZoneName network}" ''
-  $ORIGIN ${getNetworkZoneName network}
-  $TTL ${toString zoneTTL}
-  @ IN SOA ${head nameservers}. hostmaster.${domain}. (
-    ${serial}
-    ${toString refresh}
-    ${toString retry}
-    ${toString expire}
-    ${toString minimum}
-  )
-  ${concatStringsSep "\n" nameserverEntries}
-  ${concatStringsSep "\n" (generateReverseZoneEntries network domain ipHostMap)}
-''
+in nameValuePair "${getNetworkZoneName network}" {
+  dnssec = keyFile != null;
+  ksk.keyFile = keyFile;
+  data = ''
+    $ORIGIN ${getNetworkZoneName network}
+    $TTL ${toString zoneTTL}
+    @ IN SOA ${head nameservers}. hostmaster.${domain}. (
+      ${serial}
+      ${toString refresh}
+      ${toString retry}
+      ${toString expire}
+      ${toString minimum}
+    )
+    ${concatStringsSep "\n" nameserverEntries}
+    ${concatStringsSep "\n"
+    (generateReverseZoneEntries network domain ipHostMap)}
+  '';
+}