diff --git a/roles/dns/master/tasks/main.yml b/roles/dns/master/tasks/main.yml
index 8573dad..d65c3c1 100644
--- a/roles/dns/master/tasks/main.yml
+++ b/roles/dns/master/tasks/main.yml
@@ -33,24 +33,6 @@
     group: root
     mode: u=rwx,g=rx,o=
 
-- name: Determine if keys are generated already
-  find:
-    paths: "{{ keys_directory }}"
-    patterns: "K{{ domain }}.+*+*"
-  register: keys_found
-
-- name: Generate key signing key for zone {{ domain }}
-  command: >-
-    dnssec-keygen
-    -f KSK
-    -3
-    -a {{ dnssec_algorithm | quote }}
-    -b {{ dnssec_key_length | quote }}
-    -n ZONE {{ domain | quote }}
-  args:
-    chdir: "{{ keys_directory }}"
-  when: keys_found.matched < 2
-
 # TODO Copy public ZSK to localhost
 
 - name: Store main database of zone {{ domain }}
diff --git a/roles/dns/master/templates/zone.conf b/roles/dns/master/templates/zone.conf
index 074ab0d..3f49024 100644
--- a/roles/dns/master/templates/zone.conf
+++ b/roles/dns/master/templates/zone.conf
@@ -1,10 +1,27 @@
+dnssec-policy "{{ domain }}-policy" {
+  keys {
+    ksk key-directory lifetime unlimited algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }};
+    zsk key-directory lifetime P30D algorithm {{ dnssec_algorithm }} {{ dnssec_key_length }};
+  };
+  publish-safety P1D;
+  retire-safety P1D;
+  signatures-refresh P5D;
+  signatures-validity P10D;
+  signatures-validity-dnskey P10D;
+  max-zone-ttl PT24H;
+  zone-propagation-delay PT5M;
+  parent-ds-ttl P1D;
+  parent-propagation-delay PT1H;
+  parent-registration-delay P5D;
+};
+
 zone "{{ domain }}" {
   type master;
   file "{{ database_file }}";
   key-directory "{{ keys_directory }}";
   // dnssec
   inline-signing yes;
-  auto-dnssec maintain;
+  dnssec-policy "{{ domain }}-policy";
   // notify & transfer
   notify yes;
   allow-transfer {