diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 275c0d8..6943a26 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -36,6 +36,7 @@ global_credentials_directory: "credentials"
 global_public_key_directory: "public_keys"
 
 global_dns_list_directory: "{{ global_public_key_directory }}/dns"
+global_dns_update_key_algorithm: "ED25519"
 
 global_ssh_key_directory: "{{ global_public_key_directory }}/ssh"
 global_ssh_host_key_directory: "{{ global_ssh_key_directory }}/hosts"
diff --git a/roles/common/tasks/helpers.yml b/roles/common/tasks/helpers.yml
index c1dd39b..a4ffb73 100644
--- a/roles/common/tasks/helpers.yml
+++ b/roles/common/tasks/helpers.yml
@@ -30,6 +30,7 @@
     - backup_autoremove.sh
     - backup_files.sh
     - backup_mysql_database.sh
+    - nsupdate_keygen.sh
 
 - name: Configure auto remove older backups
   cron:
diff --git a/roles/common/templates/nsupdate_keygen.sh b/roles/common/templates/nsupdate_keygen.sh
new file mode 100644
index 0000000..1e4df7b
--- /dev/null
+++ b/roles/common/templates/nsupdate_keygen.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euxo pipefail;
+
+if [[ -z "${1+x}" ]]; then
+  echo "Usage: $(basename "$0") HOST [PATH]" >&2
+  exit 2;
+fi
+
+key_path="${2:-1}";
+if [[ "$key_path" = /* ]]; then
+  target="$key_path";
+else
+  target="$PWD/$key_path";
+fi
+
+tmpdir="$(mktemp --directory)";
+cd "$tmpdir";
+name="$(dnssec-keygen -a {{ global_dns_update_key_algorithm }} -n HOST -T KEY "$1")";
+for suffix in "key" "private"; do
+  mv "$tmpdir/$name.$suffix" "$target.$suffix";
+done
+rm -rf "$tmpdir";