diff --git a/bin/named/config.c b/bin/named/config.c
index f4b2d4e7bd..4f7c7fe0b6 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -179,6 +179,8 @@ options {\n\
 	notify-source *;\n\
 	notify-source-v6 *;\n\
 	nsec3-test-zone no;\n\
+	parental-source *;\n\
+	parental-source-v6 *;\n\
 	provide-ixfr true;\n\
 	qname-minimization relaxed;\n\
 	query-source address *;\n\
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index b4a91cd4c9..46a2ca1fe3 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -343,6 +343,10 @@ OPTIONS
   	nta-lifetime duration;
   	nta-recheck duration;
   	nxdomain-redirect string;
+  	parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	parental-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
   	pid-file ( quoted_string | none );
   	port integer;
   	preferred-glue string;
@@ -744,6 +748,10 @@ VIEW
   	nta-lifetime duration;
   	nta-recheck duration;
   	nxdomain-redirect string;
+  	parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	parental-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
   	plugin ( query ) string [ {
   	    unspecified-text } ];
   	preferred-glue string;
@@ -945,6 +953,10 @@ VIEW
   		    remote-servers | ipv4_address [ port integer ] |
   		    ipv6_address [ port integer ] ) [ key string ] [
   		    tls string ]; ... };
+  		parental-source ( ipv4_address | * ) [ port ( integer |
+  		    * ) ] [ dscp integer ];
+  		parental-source-v6 ( ipv6_address | * ) [ port (
+  		    integer | * ) ] [ dscp integer ];
   		primaries [ port integer ] [ dscp integer ] { (
   		    remote-servers | ipv4_address [ port integer ] |
   		    ipv6_address [ port integer ] ) [ key string ] [
@@ -1057,6 +1069,10 @@ ZONE
   	    remote-servers | ipv4_address [ port integer ] |
   	    ipv6_address [ port integer ] ) [ key string ] [ tls
   	    string ]; ... };
+  	parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+  	    dscp integer ];
+  	parental-source-v6 ( ipv6_address | * ) [ port ( integer | * )
+  	    ] [ dscp integer ];
   	primaries [ port integer ] [ dscp integer ] { (
   	    remote-servers | ipv4_address [ port integer ] |
   	    ipv6_address [ port integer ] ) [ key string ] [ tls
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 873da27849..9680e12874 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1320,6 +1320,30 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 						      NULL, 0));
 		}
 
+		obj = NULL;
+		result = named_config_get(maps, "parental-source", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		RETERR(dns_zone_setparentalsrc4(zone, cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		RETERR(dns_zone_setparentalsrc4dscp(zone, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = named_config_get(maps, "parental-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS && obj != NULL);
+		RETERR(dns_zone_setparentalsrc6(zone, cfg_obj_assockaddr(obj)));
+		dscp = cfg_obj_getdscp(obj);
+		if (dscp == -1) {
+			dscp = named_g_dscp;
+		}
+		RETERR(dns_zone_setparentalsrc6dscp(zone, dscp));
+		named_add_reserved_dispatch(named_g_server,
+					    cfg_obj_assockaddr(obj));
+
 		obj = NULL;
 		result = named_config_get(maps, "notify-source", &obj);
 		INSIST(result == ISC_R_SUCCESS && obj != NULL);
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index bd6a9b083d..616a5441d4 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -185,6 +185,7 @@ view "fourth" {
 			1.2.3.5;
 		};
 		dnssec-policy "test";
+		parental-source 10.10.10.10 port 53 dscp 55;
 	};
 	zone "dnssec-default" {
 		type master;
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index d6a45551eb..da6d3d6020 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2627,7 +2627,7 @@ options are:
 .. note:: Solaris 2.5.1 and earlier does not support setting the source address
    for TCP sockets.
 
-.. note:: See also ``transfer-source`` and ``notify-source``.
+.. note:: See also ``transfer-source``, ``notify-source`` and ``parental-source``.
 
 .. _zone_transfers:
 
@@ -5136,6 +5136,32 @@ The following options can be specified in a ``dnssec-policy`` statement:
     zone is updated to the time when the new version is served by all of
     the parent zone's name servers.  The default is ``PT1H`` (1 hour).
 
+Automated KSK Rollovers
+^^^^^^^^^^^^^^^^^^^^^^^
+
+BIND has mechanisms in place to facilitate automated KSK rollovers. It
+publishes CDS and CDNSKEY records that can be used by the parent zone to
+publish or withdraw the zone's DS records. BIND will query the parental
+agents to see if the new DS is actually published before withdrawing the
+old DNSSEC key. The following options apply to DS queries sent to
+``parental-agents``:
+
+``parental-source``
+   ``parental-source`` determines which local source address, and
+   optionally UDP port, is used to send parental DS queries. This
+   address must appear in the secondary server's ``parental-agents`` zone
+   clause. This statement sets the ``parental-source`` for all zones, but can
+   be overridden on a per-zone or per-view basis by including a
+   ``parental-source`` statement within the ``zone`` or ``view`` block in the
+   configuration file.
+
+   .. note:: Solaris 2.5.1 and earlier does not support setting the source
+      address for TCP sockets.
+
+``parental-source-v6``
+   This option acts like ``parental-source``, but applies to parental DS
+   queries sent to IPv6 addresses.
+
 .. _managed-keys:
 
 ``managed-keys`` Statement Grammar
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 4beb6c4604..deec1ffb88 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -410,6 +410,10 @@ options {
       nta\-lifetime duration;
       nta\-recheck duration;
       nxdomain\-redirect string;
+      parental\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      parental\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
       pid\-file ( quoted_string | none );
       port integer;
       preferred\-glue string;
@@ -847,6 +851,10 @@ view string [ class ] {
       nta\-lifetime duration;
       nta\-recheck duration;
       nxdomain\-redirect string;
+      parental\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      parental\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
       plugin ( query ) string [ {
           unspecified\-text } ];
       preferred\-glue string;
@@ -1048,6 +1056,10 @@ view string [ class ] {
                   remote\-servers | ipv4_address [ port integer ] |
                   ipv6_address [ port integer ] ) [ key string ] [
                   tls string ]; ... };
+              parental\-source ( ipv4_address | * ) [ port ( integer |
+                  * ) ] [ dscp integer ];
+              parental\-source\-v6 ( ipv6_address | * ) [ port (
+                  integer | * ) ] [ dscp integer ];
               primaries [ port integer ] [ dscp integer ] { (
                   remote\-servers | ipv4_address [ port integer ] |
                   ipv6_address [ port integer ] ) [ key string ] [
@@ -1164,6 +1176,10 @@ zone string [ class ] {
           remote\-servers | ipv4_address [ port integer ] |
           ipv6_address [ port integer ] ) [ key string ] [ tls
           string ]; ... };
+      parental\-source ( ipv4_address | * ) [ port ( integer | * ) ] [
+          dscp integer ];
+      parental\-source\-v6 ( ipv6_address | * ) [ port ( integer | * )
+          ] [ dscp integer ];
       primaries [ port integer ] [ dscp integer ] { (
           remote\-servers | ipv4_address [ port integer ] |
           ipv6_address [ port integer ] ) [ key string ] [ tls
diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt
index 6740613e8c..a34d512726 100644
--- a/doc/misc/master.zoneopt
+++ b/doc/misc/master.zoneopt
@@ -47,6 +47,8 @@ zone <string> [ <class> ] {
 	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	notify-to-soa <boolean>;
 	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	serial-update-method ( date | increment | unixtime );
 	sig-signing-nodes <integer>;
 	sig-signing-signatures <integer>;
diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst
index 05243c40bc..ad85f5f17f 100644
--- a/doc/misc/master.zoneopt.rst
+++ b/doc/misc/master.zoneopt.rst
@@ -49,6 +49,8 @@
   	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	notify-to-soa <boolean>;
   	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	serial-update-method ( date | increment | unixtime );
   	sig-signing-nodes <integer>;
   	sig-signing-signatures <integer>;
diff --git a/doc/misc/options b/doc/misc/options
index 87aa9e2f47..416326e6da 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -268,6 +268,10 @@ options {
         nta-lifetime <duration>;
         nta-recheck <duration>;
         nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
         pid-file ( <quoted_string> | none );
         port <integer>;
         preferred-glue <string>;
@@ -624,6 +628,10 @@ view <string> [ <class> ] {
         nta-lifetime <duration>;
         nta-recheck <duration>;
         nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
         plugin ( query ) <string> [ {
             <unspecified-text> } ]; // may occur multiple times
         preferred-glue <string>;
@@ -827,6 +835,10 @@ view <string> [ <class> ] {
                     <remote-servers> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ] [
                     tls <string> ]; ... };
+                parental-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                parental-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
                 primaries [ port <integer> ] [ dscp <integer> ] { (
                     <remote-servers> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ] [
@@ -935,6 +947,10 @@ zone <string> [ <class> ] {
             <remote-servers> | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
             <string> ]; ... };
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
         primaries [ port <integer> ] [ dscp <integer> ] { (
             <remote-servers> | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
diff --git a/doc/misc/options.active b/doc/misc/options.active
index d8bb60f930..b05e36838d 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -266,6 +266,10 @@ options {
         nta-lifetime <duration>;
         nta-recheck <duration>;
         nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
         pid-file ( <quoted_string> | none );
         port <integer>;
         preferred-glue <string>;
@@ -620,6 +624,10 @@ view <string> [ <class> ] {
         nta-lifetime <duration>;
         nta-recheck <duration>;
         nxdomain-redirect <string>;
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
         plugin ( query ) <string> [ {
             <unspecified-text> } ]; // may occur multiple times
         preferred-glue <string>;
@@ -821,6 +829,10 @@ view <string> [ <class> ] {
                     <remote-servers> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ] [
                     tls <string> ]; ... };
+                parental-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ] [ dscp <integer> ];
+                parental-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ] [ dscp <integer> ];
                 primaries [ port <integer> ] [ dscp <integer> ] { (
                     <remote-servers> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ] [
@@ -928,6 +940,10 @@ zone <string> [ <class> ] {
             <remote-servers> | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
             <string> ]; ... };
+        parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+            dscp <integer> ];
+        parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+            ] [ dscp <integer> ];
         primaries [ port <integer> ] [ dscp <integer> ] { (
             <remote-servers> | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
index fa2bac7160..392e9c1a42 100644
--- a/doc/misc/options.grammar.rst
+++ b/doc/misc/options.grammar.rst
@@ -188,6 +188,10 @@
   	nta-lifetime <duration>;
   	nta-recheck <duration>;
   	nxdomain-redirect <string>;
+  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+  	    dscp <integer> ];
+  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+  	    ] [ dscp <integer> ];
   	pid-file ( <quoted_string> | none );
   	port <integer>;
   	preferred-glue <string>;
diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt
index a7e7c713e3..977e2618dd 100644
--- a/doc/misc/slave.zoneopt
+++ b/doc/misc/slave.zoneopt
@@ -46,6 +46,8 @@ zone <string> [ <class> ] {
 	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	notify-to-soa <boolean>;
 	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	request-expire <boolean>;
 	request-ixfr <boolean>;
diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst
index 48f9454c62..77ad700f53 100644
--- a/doc/misc/slave.zoneopt.rst
+++ b/doc/misc/slave.zoneopt.rst
@@ -48,6 +48,8 @@
   	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	notify-to-soa <boolean>;
   	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
+  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
   	request-expire <boolean>;
   	request-ixfr <boolean>;
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 8d9807c190..50ed64b48e 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -3637,6 +3637,7 @@ static struct {
 	const char *v6;
 } sources[] = { { "transfer-source", "transfer-source-v6" },
 		{ "notify-source", "notify-source-v6" },
+		{ "parental-source", "parental-source-v6" },
 		{ "query-source", "query-source-v6" },
 		{ NULL, NULL } };
 
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index dc8350c6e3..2002ea2e77 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -924,6 +924,94 @@ dns_zone_setaltxfrsource6dscp(dns_zone_t *zone, isc_dscp_t dscp);
  *\li	#ISC_R_SUCCESS
  */
 
+isc_result_t
+dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc);
+/*%<
+ * 	Set the source address to be used with IPv4 parental DS queries.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'parentalsrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc4(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setparentalsrc4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getparentalsrc4dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv4 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setparentalsrc4dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv4 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_result_t
+dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc);
+/*%<
+ * 	Set the source address to be used with IPv6 parental DS queries.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'parentalsrc' to contain the address.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc6(dns_zone_t *zone);
+/*%<
+ *	Returns the source address set by a previous dns_zone_setparentalsrc6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_dscp_t
+dns_zone_getparentalsrc6dscp(dns_zone_t *zone);
+/*%/
+ * Get the DSCP value associated with the IPv6 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setparentalsrc6dscp(dns_zone_t *zone, isc_dscp_t dscp);
+/*%<
+ * Set the DSCP value associated with the IPv6 parental source.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
 isc_result_t
 dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc);
 /*%<
@@ -1846,6 +1934,15 @@ dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
  *\li	'zmgr' to be a valid zone manager.
  */
 
+void
+dns_zonemgr_setcheckdsrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*%<
+ *	Set the number of parental DS queries sent per second.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager
+ */
+
 void
 dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value);
 /*%<
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 3211c54de8..f3acf7364c 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -301,6 +301,8 @@ struct dns_zone {
 	isc_task_t *loadtask;
 	isc_sockaddr_t notifysrc4;
 	isc_sockaddr_t notifysrc6;
+	isc_sockaddr_t parentalsrc4;
+	isc_sockaddr_t parentalsrc6;
 	isc_sockaddr_t xfrsource4;
 	isc_sockaddr_t xfrsource6;
 	isc_sockaddr_t altxfrsource4;
@@ -308,6 +310,8 @@ struct dns_zone {
 	isc_sockaddr_t sourceaddr;
 	isc_dscp_t notifysrc4dscp;
 	isc_dscp_t notifysrc6dscp;
+	isc_dscp_t parentalsrc4dscp;
+	isc_dscp_t parentalsrc6dscp;
 	isc_dscp_t xfrsource4dscp;
 	isc_dscp_t xfrsource6dscp;
 	isc_dscp_t altxfrsource4dscp;
@@ -586,6 +590,7 @@ struct dns_zonemgr {
 	isc_taskpool_t *loadtasks;
 	isc_task_t *task;
 	isc_pool_t *mctxpool;
+	isc_ratelimiter_t *checkdsrl;
 	isc_ratelimiter_t *notifyrl;
 	isc_ratelimiter_t *refreshrl;
 	isc_ratelimiter_t *startupnotifyrl;
@@ -602,6 +607,7 @@ struct dns_zonemgr {
 	/* Configuration data. */
 	uint32_t transfersin;
 	uint32_t transfersperns;
+	unsigned int checkdsrate;
 	unsigned int notifyrate;
 	unsigned int startupnotifyrate;
 	unsigned int serialqueryrate;
@@ -1040,6 +1046,8 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 			 .idleout = DNS_DEFAULT_IDLEOUT,
 			 .notifysrc4dscp = -1,
 			 .notifysrc6dscp = -1,
+			 .parentalsrc4dscp = -1,
+			 .parentalsrc6dscp = -1,
 			 .xfrsource4dscp = -1,
 			 .xfrsource6dscp = -1,
 			 .altxfrsource4dscp = -1,
@@ -1100,6 +1108,8 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	ISC_LIST_INIT(zone->notifies);
 	isc_sockaddr_any(&zone->notifysrc4);
 	isc_sockaddr_any6(&zone->notifysrc6);
+	isc_sockaddr_any(&zone->parentalsrc4);
+	isc_sockaddr_any6(&zone->parentalsrc6);
 	isc_sockaddr_any(&zone->xfrsource4);
 	isc_sockaddr_any6(&zone->xfrsource6);
 	isc_sockaddr_any(&zone->altxfrsource4);
@@ -5947,6 +5957,75 @@ dns_zone_getaltxfrsource6dscp(dns_zone_t *zone) {
 	return (zone->altxfrsource6dscp);
 }
 
+
+isc_result_t
+dns_zone_setparentalsrc4(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc4 = *parentalsrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->parentalsrc4);
+}
+
+isc_result_t
+dns_zone_setparentalsrc4dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc4dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getparentalsrc4dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->parentalsrc4dscp);
+}
+
+isc_result_t
+dns_zone_setparentalsrc6(dns_zone_t *zone, const isc_sockaddr_t *parentalsrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc6 = *parentalsrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getparentalsrc6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->parentalsrc6);
+}
+
+isc_result_t
+dns_zone_setparentalsrc6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->parentalsrc6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getparentalsrc6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->parentalsrc6dscp);
+}
+
 isc_result_t
 dns_zone_setnotifysrc4(dns_zone_t *zone, const isc_sockaddr_t *notifysrc) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5998,6 +6077,23 @@ dns_zone_getnotifysrc6(dns_zone_t *zone) {
 	return (&zone->notifysrc6);
 }
 
+isc_result_t
+dns_zone_setnotifysrc6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc6dscp = dscp;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_dscp_t
+dns_zone_getnotifysrc6dscp(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->notifysrc6dscp);
+}
+
 static bool
 same_addrs(isc_sockaddr_t const *oldlist, isc_sockaddr_t const *newlist,
 	   uint32_t count) {
@@ -6162,23 +6258,6 @@ set_serverslist(unsigned int count, const isc_sockaddr_t *addrs,
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-dns_zone_setnotifysrc6dscp(dns_zone_t *zone, isc_dscp_t dscp) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifysrc6dscp = dscp;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_dscp_t
-dns_zone_getnotifysrc6dscp(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->notifysrc6dscp);
-}
-
 isc_result_t
 dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       const isc_dscp_t *dscps, dns_name_t **keynames,
@@ -18221,6 +18300,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	zmgr->loadtasks = NULL;
 	zmgr->mctxpool = NULL;
 	zmgr->task = NULL;
+	zmgr->checkdsrl = NULL;
 	zmgr->notifyrl = NULL;
 	zmgr->refreshrl = NULL;
 	zmgr->startupnotifyrl = NULL;
@@ -18248,11 +18328,17 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 
 	isc_task_setname(zmgr->task, "zmgr", zmgr);
 	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
-					&zmgr->notifyrl);
+					&zmgr->checkdsrl);
 	if (result != ISC_R_SUCCESS) {
 		goto free_task;
 	}
 
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->notifyrl);
+	if (result != ISC_R_SUCCESS) {
+		goto free_checkdsrl;
+	}
+
 	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
 					&zmgr->refreshrl);
 	if (result != ISC_R_SUCCESS) {
@@ -18271,7 +18357,8 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 		goto free_startupnotifyrl;
 	}
 
-	/* default to 20 refresh queries / notifies per second. */
+	/* default to 20 refresh queries / notifies / checkds per second. */
+	setrl(zmgr->checkdsrl, &zmgr->checkdsrate, 20);
 	setrl(zmgr->notifyrl, &zmgr->notifyrate, 20);
 	setrl(zmgr->startupnotifyrl, &zmgr->startupnotifyrate, 20);
 	setrl(zmgr->refreshrl, &zmgr->serialqueryrate, 20);
@@ -18301,6 +18388,8 @@ free_refreshrl:
 	isc_ratelimiter_detach(&zmgr->refreshrl);
 free_notifyrl:
 	isc_ratelimiter_detach(&zmgr->notifyrl);
+free_checkdsrl:
+	isc_ratelimiter_detach(&zmgr->checkdsrl);
 free_task:
 	isc_task_detach(&zmgr->task);
 free_urlock:
@@ -18489,6 +18578,7 @@ dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
 
 	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
 
+	isc_ratelimiter_shutdown(zmgr->checkdsrl);
 	isc_ratelimiter_shutdown(zmgr->notifyrl);
 	isc_ratelimiter_shutdown(zmgr->refreshrl);
 	isc_ratelimiter_shutdown(zmgr->startupnotifyrl);
@@ -18623,6 +18713,7 @@ zonemgr_free(dns_zonemgr_t *zmgr) {
 
 	isc_refcount_destroy(&zmgr->refs);
 	isc_mutex_destroy(&zmgr->iolock);
+	isc_ratelimiter_detach(&zmgr->checkdsrl);
 	isc_ratelimiter_detach(&zmgr->notifyrl);
 	isc_ratelimiter_detach(&zmgr->refreshrl);
 	isc_ratelimiter_detach(&zmgr->startupnotifyrl);
@@ -19013,6 +19104,13 @@ setrl(isc_ratelimiter_t *rl, unsigned int *rate, unsigned int value) {
 	*rate = value;
 }
 
+void
+dns_zonemgr_setcheckdsrate(dns_zonemgr_t *zmgr, unsigned int value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	setrl(zmgr->checkdsrl, &zmgr->checkdsrate, value);
+}
+
 void
 dns_zonemgr_setnotifyrate(dns_zonemgr_t *zmgr, unsigned int value) {
 	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index f45bfe0194..2a93bcc124 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2248,6 +2248,10 @@ static cfg_clausedef_t zone_clauses[] = {
 	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
 	{ "nsec3-test-zone", &cfg_type_boolean,
 	  CFG_CLAUSEFLAG_TESTONLY | CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
+	{ "parental-source", &cfg_type_sockaddr4wild,
+	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
+	{ "parental-source-v6", &cfg_type_sockaddr6wild,
+	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
 	{ "request-expire", &cfg_type_boolean,
 	  CFG_ZONE_SLAVE | CFG_ZONE_MIRROR },
 	{ "request-ixfr", &cfg_type_boolean, CFG_ZONE_SLAVE | CFG_ZONE_MIRROR },