diff --git a/manifests/config.pp b/manifests/config.pp
index 314f973..6ccb0c3 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -5,16 +5,17 @@
 class knot::config {
 
   # get variables from the toplevel manifest for usage in the template
-  $config_file   = $::knot::main_config_file
-  $zones_file    = $::knot::zones_config_file
-  $zone_storage  = $::knot::zone_storage
+  $config_file = $::knot::main_config_file
   $dnssec_enable = $::knot::dnssec_enable
   $dnssec_keydir = $::knot::dnssec_keydir
-  $service_user  = $::knot::service_user
+  $manage_zones = $::knot::manage_zones
   $service_group = $::knot::service_group
+  $service_user = $::knot::service_user
+  $signing_policies = $::knot::signing_policies
   $zone_defaults = $::knot::zone_defaults
-  $zone_options  = $::knot::zone_options
-  $manage_zones  = $::knot::manage_zones
+  $zone_options = $::knot::zone_options
+  $zone_storage = $::knot::zone_storage
+  $zones_file = $::knot::zones_config_file
 
   # knot configuration sections
   $acls = $::knot::acls
@@ -60,10 +61,24 @@
   }
 
   if $dnssec_enable {
+    $_signing_policy_names = keys($signing_policies)
+
     file { $dnssec_keydir:
-      ensure => directory,
-      owner  => $service_user,
-      group  => $service_group,
+      ensure  => directory,
+      owner   => $service_user,
+      group   => $service_group,
+      recurse => true,
+    } ->
+    exec { 'initialize_kasp':
+      command => '/usr/sbin/keymgr init',
+      creates => "${dnssec_keydir}/keys",
+      cwd     => $dnssec_keydir,
+    } ->
+    ::knot::signing_policy { $_signing_policy_names:
+      data          => $signing_policies,
+      dnssec_keydir => $dnssec_keydir,
+      user          => $service_user,
+      group         => $service_group,
     }
   }
 
diff --git a/manifests/init.pp b/manifests/init.pp
index 68b74e6..ab85c7e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -191,6 +191,8 @@
   $server                = $::knot::params::server,
   $templates             = undef,
   $zones                 = {},
+  # DNSSEC
+  $signing_policies      = {}
 ) inherits ::knot::params {
 
   # package installation handling
diff --git a/manifests/params.pp b/manifests/params.pp
index 5110827..0983733 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -58,7 +58,7 @@
 
   # knot configuration defaults
   # coming from the package installation
-  $dnssec_enable = false
+  $dnssec_enable = true
   $main_config_file = '/etc/knot/knot.conf'
   $zones_config_file = '/etc/knot/zones.conf'
   $server = {
@@ -70,7 +70,7 @@
     },
   }
   $zone_storage = '/var/lib/knot'
-  $dnssec_keydir = '/etc/knot/dnssec_keys.d'
+  $dnssec_keydir = '/var/lib/knot/kasp'
   $manage_zones = true
 
 }
diff --git a/manifests/signing_policy.pp b/manifests/signing_policy.pp
new file mode 100644
index 0000000..7c6ad8b
--- /dev/null
+++ b/manifests/signing_policy.pp
@@ -0,0 +1,21 @@
+#
+define knot::signing_policy (
+  $data,
+  $dnssec_keydir,
+  $user,
+  $group,
+) {
+
+  $_algorithm = $data[$name]['algorithm']
+  $_zsk_size = $data[$name]['zsk-size']
+  $_ksk_size = $data[$name]['ksk-size']
+
+  exec { "create_signing_policy_${name}":
+    command => "/usr/sbin/keymgr policy add ${name} algorithm ${_algorithm} zsk-size ${_zsk_size} ksk-size ${_ksk_size}",
+    creates => "${dnssec_keydir}/policy_${name}.json",
+    cwd     => $dnssec_keydir,
+    user    => $user,
+    group   => $group,
+  }
+
+}