diff --git a/roles/named/tasks/main.yml b/roles/named/tasks/main.yml
index f515541..8419b34 100644
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@@ -13,6 +13,16 @@
   tags:
   - install
 
+- name: ensure named keys are configured
+  template:
+    src: named.secrets.j2
+    dest: /etc/named.secrets
+    mode: '0440'
+    owner: root
+    group: named
+    validate: named-checkconf %s
+  notify: reload named
+
 - name: ensure zones are configured
   template:
     src: named.zones.j2
diff --git a/roles/named/templates/named.conf.j2 b/roles/named/templates/named.conf.j2
index 0e21e1f..23d1dcc 100644
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@@ -65,6 +65,7 @@ zone "." IN {
 
 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";
+include "/etc/named.secrets";
 include "/etc/named.zones";
 {% for path in named_global_include %}
 include "{{ path }}";
diff --git a/roles/named/templates/named.secrets.j2 b/roles/named/templates/named.secrets.j2
new file mode 100644
index 0000000..6034965
--- /dev/null
+++ b/roles/named/templates/named.secrets.j2
@@ -0,0 +1,8 @@
+// DNSSEC key configuration for ISC BIND
+{% for key in named_keys %}
+
+key {{ key.name }} {
+    algorithm {{ key.algorithm|d('hmac-md5') }};
+    secret "{{ key.secret }}";
+};
+{% endfor %}