diff --git a/roles/knot/defaults/main.yml b/roles/knot/defaults/main.yml
index 8fb282a..de7fb2b 100644
--- a/roles/knot/defaults/main.yml
+++ b/roles/knot/defaults/main.yml
@@ -21,7 +21,12 @@ knot_zone_dnssec_signing: 'on'
 
 knot_dnssec_policy_algorithm: ecdsap384sha384
 knot_dnssec_policy_nsec3: 'on'
-knot_dnssec_policy_ksk_shared: 'on'
+knot_dnssec_policy_ksk_shared: 'off'
 knot_dnssec_policy_ksk_size: 384
 knot_dnssec_policy_zsk_size: 384
+knot_dnssec_policy_zsk_lifetime: 30d
+knot_dnssec_policy_ksk_lifetime: 0
 knot_dnssec_policy_cds_publish: 'double-ds'
+
+knot_dnssec_submission_check_interval: 1h
+knot_dnssec_submission_timeout: 0
diff --git a/roles/knot/templates/etc/knot/knot.conf.j2 b/roles/knot/templates/etc/knot/knot.conf.j2
index 4977766..70e4fd8 100644
--- a/roles/knot/templates/etc/knot/knot.conf.j2
+++ b/roles/knot/templates/etc/knot/knot.conf.j2
@@ -35,7 +35,7 @@ key:
 
 
 remote:
-{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
+{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='parents') | select('defined') ) ) | flatten | unique %}
 
   - id: remote-{{ remote }}
 {% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
@@ -84,6 +84,18 @@ acl:
 #   MASTER ZONES
 #
 
+submission:
+{% for zone in zones %}
+
+  - id: submission: {{ zone.name }}
+    check-interval: {{ knot_dnssec_submission_check_interval }}
+    timeout: {{ knot_dnssec_submission_timeout }}
+    parent:
+{% for parent in zone.parents | default([]) %}
+    - {{ parent }}
+{% endfor %}
+{% endfor %}
+
 policy:
 {% for zone in zones %}
 {% if inventory_hostname in zone.masters %}
@@ -93,6 +105,10 @@ policy:
     nsec3: {{ knot_dnssec_policy_nsec3 }}
     ksk-size: {{ knot_dnssec_policy_ksk_size }}
     zsk-size: {{ knot_dnssec_policy_zsk_size }}
+    zsk-size: {{ knot_dnssec_policy_zsk_size }}
+    zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}
+    ksk-lifetime: {{ zone.ksk_lifetime | default(knot_dnssec_policy_ksk_lifetime) }}
+    ksk-submission: submission-{{ zone.name }}
     ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
     cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
 {% endif %}