diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst
index 409dee4b28..49dd29aca6 100644
--- a/bin/dig/dig.rst
+++ b/bin/dig/dig.rst
@@ -132,12 +132,14 @@ Options
 
 .. option:: -k keyfile
 
-   This option tells :iscman:`named` to sign queries using TSIG using a key read from the given file. Key
-   files can be generated using :iscman:`tsig-keygen`. When using TSIG
-   authentication with :program:`dig`, the name server that is queried needs to
-   know the key and algorithm that is being used. In BIND, this is done
-   by providing appropriate ``key`` and ``server`` statements in
-   :iscman:`named.conf`.
+   This option tells :program:`dig` to sign queries using TSIG or
+   SIG(0) using a key read from the given file. Key files can be
+   generated using :iscman:`tsig-keygen`. When using TSIG authentication
+   with :program:`dig`, the name server that is queried needs to
+   know the key and algorithm that is being used. In BIND, this is
+   done by providing appropriate ``key`` and ``server`` statements
+   in :iscman:`named.conf` for TSIG and by looking up the KEY record
+   in zone data for SIG(0).
 
 .. option:: -m
 
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 3c9e50fad5..f5b4f9e63e 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -143,6 +143,7 @@ const dns_name_t *hmacname = NULL;
 unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
 dns_tsigkey_t *tsigkey = NULL;
+dst_key_t *sig0key = NULL;
 bool validated = true;
 bool debugging = false;
 bool debugtiming = false;
@@ -1141,6 +1142,10 @@ setup_file_key(void) {
 
 	debug("setup_file_key()");
 
+	if (sig0key != NULL) {
+		dst_key_free(&sig0key);
+	}
+
 	/* Try reading the key from a K* pair */
 	result = dst_key_fromnamedfile(
 		keyfile, NULL, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey);
@@ -1178,18 +1183,20 @@ setup_file_key(void) {
 	case DST_ALG_HMACSHA512:
 		hmacname = DNS_TSIG_HMACSHA512_NAME;
 		break;
-	default:
-		printf(";; Couldn't create key %s: bad algorithm\n",
-		       keynametext);
-		goto failure;
 	}
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
-					   dstkey, false, NULL, 0, 0, mctx,
-					   NULL, &tsigkey);
-	if (result != ISC_R_SUCCESS) {
-		printf(";; Couldn't create key %s: %s\n", keynametext,
-		       isc_result_totext(result));
-		goto failure;
+
+	if (hmacname != NULL) {
+		result = dns_tsigkey_createfromkey(
+			dst_key_name(dstkey), hmacname, dstkey, false, NULL, 0,
+			0, mctx, NULL, &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			printf(";; Couldn't create key %s: %s\n", keynametext,
+			       isc_result_totext(result));
+			goto failure;
+		}
+	} else {
+		dst_key_attach(dstkey, &sig0key);
+		dst_key_free(&dstkey);
 	}
 failure:
 	if (dstkey != NULL) {
@@ -2425,6 +2432,10 @@ setup_lookup(dig_lookup_t *lookup) {
 		debug("initializing keys");
 		result = dns_message_settsigkey(lookup->sendmsg, tsigkey);
 		check_result(result, "dns_message_settsigkey");
+	} else if (sig0key != NULL) {
+		debug("initializing keys");
+		result = dns_message_setsig0key(lookup->sendmsg, sig0key);
+		check_result(result, "dns_message_setsig0key");
 	}
 
 	lookup->sendspace = isc_mem_get(mctx, COMMSIZE);
@@ -4654,10 +4665,17 @@ destroy_libs(void) {
 	clear_searchlist();
 
 	if (tsigkey != NULL) {
-		debug("freeing key %p", tsigkey);
+		debug("freeing TSIG key %p", tsigkey);
 		dns_tsigkey_detach(&tsigkey);
 	}
+
+	if (sig0key != NULL) {
+		debug("freeing SIG(0) key %p", sig0key);
+		dst_key_free(&sig0key);
+	}
+
 	if (namebuf != NULL) {
+		debug("freeing key %p", tsigkey);
 		isc_buffer_free(&namebuf);
 	}
 
diff --git a/doc/man/dig.1in b/doc/man/dig.1in
index 171d7fc602..3ba9962b19 100644
--- a/doc/man/dig.1in
+++ b/doc/man/dig.1in
@@ -153,12 +153,14 @@ Print a usage summary.
 .INDENT 0.0
 .TP
 .B \-k keyfile
-This option tells \fI\%named\fP to sign queries using TSIG using a key read from the given file. Key
-files can be generated using \fI\%tsig\-keygen\fP\&. When using TSIG
-authentication with \fBdig\fP, the name server that is queried needs to
-know the key and algorithm that is being used. In BIND, this is done
-by providing appropriate \fBkey\fP and \fBserver\fP statements in
-\fI\%named.conf\fP\&.
+This option tells \fBdig\fP to sign queries using TSIG or
+SIG(0) using a key read from the given file. Key files can be
+generated using \fI\%tsig\-keygen\fP\&. When using TSIG authentication
+with \fBdig\fP, the name server that is queried needs to
+know the key and algorithm that is being used. In BIND, this is
+done by providing appropriate \fBkey\fP and \fBserver\fP statements
+in \fI\%named.conf\fP for TSIG and by looking up the KEY record
+in zone data for SIG(0).
 .UNINDENT
 .INDENT 0.0
 .TP