diff --git a/README b/README
index 145679c..85bc462 100644
--- a/README
+++ b/README
@@ -24,8 +24,9 @@ Put key-value pairs in host_vars, under the key "nsd_local_config".
 If you want to pass multiple values for a key (e.g. ip-address), just use
 a list as value, it will automatically be expanded.
 
-The zones are configured in group_vars, see the example.  The zone files
-themselves for primary zones should be put in files/nsd.
+The zones are configured in group_vars, see the example.  It is possible
+to optionally add a TSIG key to each slave/master, see again the example.
+The zone files themselves for primary zones should be put in files/nsd.
 
 The playbook is currently only tested with Debian wheezy.
 
diff --git a/templates/primary_zone_config.j2 b/templates/primary_zone_config.j2
index acceab7..a949584 100644
--- a/templates/primary_zone_config.j2
+++ b/templates/primary_zone_config.j2
@@ -1,9 +1,23 @@
 # Primary zone definition for {{ item.zone_name }}
+
+{% for slave in item.slaves %}
+{% if slave.tsig_secret is defined %}
+key:
+    name: "{{ item.zone_name }}_{{ slave.ip }}"
+    algorithm: "{{ slave.tsig_algorithm }}"
+    secret: "{{ slave.tsig_secret }}"
+{% endif %}
+{% endfor %}
+
+{%- macro tsigkey(slave) %}
+{% if slave.tsig_secret is defined %}{{ item.zone_name }}_{{ slave.ip }}{% else %}NOKEY{% endif %}
+{% endmacro -%}
+
 zone:
   name: "{{ item.zone_name }}"
   zonefile: "{{ primary_zones_dir }}/{{ item.zone_filename }}"
 {% for slave in item.slaves %}
-  notify: {{ slave.ip }} NOKEY
-  provide-xfr: {{ slave.ip }} NOKEY
+  notify: {{ slave.ip }} "{{ tsigkey(slave) }}"
+  provide-xfr: {{ slave.ip }} "{{ tsigkey(slave) }}"
 {% endfor %}
 
diff --git a/templates/secondary_zone_config.j2 b/templates/secondary_zone_config.j2
index 9544e97..d468806 100644
--- a/templates/secondary_zone_config.j2
+++ b/templates/secondary_zone_config.j2
@@ -1,9 +1,23 @@
 # Secondary zone definition for {{ item.zone_name }}
+
+{% for master in item.masters %}
+{% if master.tsig_secret is defined %}
+key:
+    name: "{{ item.zone_name }}_{{ master.ip }}"
+    algorithm: "{{ master.tsig_algorithm }}"
+    secret: "{{ master.tsig_secret }}"
+{% endif %}
+{% endfor %}
+
+{%- macro tsigkey(master) %}
+{% if master.tsig_secret is defined %}{{ item.zone_name }}_{{ master.ip }}{% else %}NOKEY{% endif %}
+{% endmacro -%}
+
 zone:
   name: "{{ item.zone_name }}"
   zonefile: "{{ secondary_zones_dir }}/{{ item.zone_name }}"
 {% for master in item.masters %}
-  allow-notify: {{ master.ip }} NOKEY
-  request-xfr: AXFR {{ master.ip }} NOKEY
+  allow-notify: {{ master.ip }} "{{ tsigkey(master) }}"
+  request-xfr: AXFR {{ master.ip }} "{{ tsigkey(master) }}"
 {% endfor %}