diff --git a/lib/dns/config/confzone.c b/lib/dns/config/confzone.c
index d719a591b7..984f9daacd 100644
--- a/lib/dns/config/confzone.c
+++ b/lib/dns/config/confzone.c
@@ -22,6 +22,7 @@
 #include <dns/confzone.h>
 #include <dns/confcommon.h>
 #include <dns/log.h>
+#include <dns/ssu.h>
 
 #include "confpvt.h"
 
@@ -728,6 +729,49 @@ dns_c_zone_setallowupdateforwarding(dns_c_zone_t *zone,
 }
 
 
+isc_result_t
+dns_c_zone_setssuauth(dns_c_zone_t *zone, dns_ssutable_t *ssu)
+{
+	dns_ssutable_t **p = NULL;
+	isc_boolean_t existed;
+	
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+
+	switch (zone->ztype) {
+	case dns_c_zone_master:
+		p = &zone->u.mzone.ssuauth;
+		break;
+			
+	case dns_c_zone_slave:
+		p = &zone->u.szone.ssuauth;
+		break;
+		
+	case dns_c_zone_stub:
+		p = &zone->u.tzone.ssuauth;
+		break;
+		
+	case dns_c_zone_hint:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "Hint zones do not have an ssuauth field");
+		return (ISC_R_FAILURE);
+			
+	case dns_c_zone_forward:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "Forward zones do not have an "
+			      "ssuauth field");
+		return (ISC_R_FAILURE);
+	}
+
+	existed = (*p != NULL ? ISC_TRUE : ISC_FALSE);
+	
+	*p = ssu;
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+
 isc_result_t
 dns_c_zone_setallowquery(dns_c_zone_t *zone,
 			 dns_c_ipmatchlist_t *ipml,
@@ -1911,6 +1955,53 @@ dns_c_zone_getallowupd(dns_c_zone_t *zone,
 }
 
 
+isc_result_t
+dns_c_zone_getssuauth(dns_c_zone_t *zone, dns_ssutable_t **retval)
+{
+	dns_ssutable_t *p = NULL;
+	isc_result_t res;
+	
+	REQUIRE(DNS_C_ZONE_VALID(zone));
+	REQUIRE(retval != NULL);
+
+	switch (zone->ztype) {
+	case dns_c_zone_master:
+		p = zone->u.mzone.ssuauth;
+		break;
+			
+	case dns_c_zone_slave:
+		p = zone->u.szone.ssuauth;
+		break;
+		
+	case dns_c_zone_stub:
+		p = zone->u.tzone.ssuauth;
+		break;
+		
+	case dns_c_zone_hint:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "Hint zones do not have an ssuauth field");
+		return (ISC_R_FAILURE);
+			
+	case dns_c_zone_forward:
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
+			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
+			      "Forward zones do not have an "
+			      "ssuauth field");
+		return (ISC_R_FAILURE);
+	}
+
+	if (p != NULL) {
+		*retval = p;
+		res = ISC_R_SUCCESS;
+	} else {
+		res = ISC_R_NOTFOUND;
+	}
+
+	return (res);
+}
+
+
 isc_result_t
 dns_c_zone_getallowupdateforwarding(dns_c_zone_t *zone,
 				    dns_c_ipmatchlist_t **retval)
@@ -3073,6 +3164,10 @@ master_zone_print(FILE *fp, int indent,
 		fprintf(fp, ";\n");
 	}
 
+	if (mzone->ssuauth != NULL) {
+		dns_c_ssutable_print(fp, indent, mzone->ssuauth);
+	}
+
 	if (mzone->allow_update_forwarding != NULL &&
 	    !ISC_LIST_EMPTY(mzone->allow_update_forwarding->elements)) {
 		dns_c_printtabs(fp, indent);
@@ -3244,6 +3339,10 @@ slave_zone_print(FILE *fp, int indent,
 		fprintf(fp, ";\n");
 	}
 
+	if (szone->ssuauth != NULL) {
+		dns_c_ssutable_print(fp, indent, szone->ssuauth);
+	}
+
 	if (szone->allow_update_forwarding != NULL &&
 	    !ISC_LIST_EMPTY(szone->allow_update_forwarding->elements)) {
 		dns_c_printtabs(fp, indent);
@@ -3394,6 +3493,10 @@ stub_zone_print(FILE *fp, int indent, dns_c_stubzone_t *tzone)
 		fprintf(fp, ";\n");
 	}
 
+	if (tzone->ssuauth != NULL) {
+		dns_c_ssutable_print(fp, indent, tzone->ssuauth);
+	}
+
 	if (tzone->allow_update_forwarding != NULL &&
 	    !ISC_LIST_EMPTY(tzone->allow_update_forwarding->elements)) {
 		dns_c_printtabs(fp, indent);
@@ -3520,6 +3623,7 @@ master_zone_init(dns_c_masterzone_t *mzone)
 	
 	mzone->file = NULL;
 	mzone->allow_update = NULL;
+	mzone->ssuauth = NULL;
 	mzone->allow_update_forwarding = NULL;
 	mzone->allow_query = NULL;
 	mzone->allow_transfer = NULL;
@@ -3545,6 +3649,7 @@ slave_zone_init(dns_c_slavezone_t *szone)
 	szone->ixfr_tmp = NULL;
 	szone->master_ips = NULL;
 	szone->allow_update = NULL;
+	szone->ssuauth = NULL;
 	szone->allow_update_forwarding = NULL;
 	szone->allow_query = NULL;
 	szone->allow_transfer = NULL;
@@ -3566,6 +3671,7 @@ stub_zone_init(dns_c_stubzone_t *tzone)
 	tzone->file = NULL;
 	tzone->master_ips = NULL;
 	tzone->allow_update = NULL;
+	tzone->ssuauth = NULL;
 	tzone->allow_update_forwarding = NULL;
 	tzone->allow_query = NULL;
 	tzone->allow_transfer = NULL;
@@ -3663,6 +3769,9 @@ master_zone_clear(isc_mem_t *mem, dns_c_masterzone_t *mzone)
 	if (mzone->allow_update != NULL)
 		dns_c_ipmatchlist_detach(&mzone->allow_update);
 
+	if (mzone->ssuauth != NULL)
+		dns_ssutable_destroy(&mzone->ssuauth);
+	
 	if (mzone->allow_update_forwarding != NULL)
 		dns_c_ipmatchlist_detach(&mzone->allow_update_forwarding);
 
@@ -3720,6 +3829,9 @@ slave_zone_clear(isc_mem_t *mem, dns_c_slavezone_t *szone)
 	if (szone->allow_update != NULL)
 		dns_c_ipmatchlist_detach(&szone->allow_update);
 	
+	if (szone->ssuauth != NULL)
+		dns_ssutable_destroy(&szone->ssuauth);
+	
 	if (szone->allow_update_forwarding != NULL)
 		dns_c_ipmatchlist_detach(&szone->allow_update_forwarding);
 	
@@ -3762,6 +3874,9 @@ stub_zone_clear(isc_mem_t *mem, dns_c_stubzone_t *tzone)
 	if (tzone->allow_update != NULL)
 		dns_c_ipmatchlist_detach(&tzone->allow_update);
 	
+	if (tzone->ssuauth != NULL)
+		dns_ssutable_destroy(&tzone->ssuauth);
+	
 	if (tzone->allow_update_forwarding != NULL)
 		dns_c_ipmatchlist_detach(&tzone->allow_update_forwarding);