diff --git a/CHANGES b/CHANGES
index 2809892098..00c0720632 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6376.	[func]		Allow 'dnssec-keygen' options '-f' and '-k' to be used
+			together to create a subset of keys from the DNSSEC
+			policy.
+
 6375.	[func]		Allow multiple RNDC message to be processed from
 			a single TCP read. [GL #4416]
 
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index ba68504234..a7df14c127 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -96,6 +96,7 @@ struct keygen_ctx {
 	int options;
 	int dbits;
 	dns_ttl_t ttl;
+	uint16_t zskflag;
 	uint16_t kskflag;
 	uint16_t revflag;
 	dns_secalg_t alg;
@@ -177,7 +178,7 @@ usage(void) {
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -E <engine>:\n");
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
-	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
+	fprintf(stderr, "    -f <keyflag>: ZSK | KSK | REVOKE\n");
 	fprintf(stderr, "    -F: FIPS mode\n");
 	fprintf(stderr, "    -L <ttl>: default key TTL\n");
 	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
@@ -262,6 +263,7 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	isc_result_t ret;
 	dst_key_t *key = NULL;
 	dst_key_t *prevkey = NULL;
+	uint16_t kskflag;
 
 	UNUSED(argc);
 
@@ -551,10 +553,16 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 		ctx->directory = ".";
 	}
 
+	if (ctx->ksk) {
+		kskflag = DNS_KEYFLAG_KSK;
+	} else {
+		kskflag = ctx->kskflag;
+	}
+
 	if ((ctx->options & DST_TYPE_KEY) != 0) { /* KEY */
 		flags |= ctx->signatory;
 	} else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
-		flags |= ctx->kskflag;
+		flags |= kskflag;
 		flags |= ctx->revflag;
 	}
 
@@ -923,6 +931,8 @@ main(int argc, char **argv) {
 			c = (unsigned char)(isc_commandline_argument[0]);
 			if (toupper(c) == 'K') {
 				ctx.kskflag = DNS_KEYFLAG_KSK;
+			} else if (toupper(c) == 'Z') {
+				ctx.zskflag = 1;
 			} else if (toupper(c) == 'R') {
 				ctx.revflag = DNS_KEYFLAG_REVOKE;
 			} else {
@@ -1198,8 +1208,8 @@ main(int argc, char **argv) {
 		if (ctx.size != -1) {
 			fatal("-k and -b cannot be used together");
 		}
-		if (ctx.kskflag || ctx.revflag) {
-			fatal("-k and -f cannot be used together");
+		if (ctx.revflag) {
+			fatal("-k and -fR cannot be used together");
 		}
 		if (ctx.options & DST_TYPE_KEY) {
 			fatal("-k and -T KEY cannot be used together");
@@ -1214,9 +1224,9 @@ main(int argc, char **argv) {
 			ctx.use_nsec3 = false;
 			ctx.alg = DST_ALG_ECDSA256;
 			ctx.size = 0;
-			ctx.kskflag = DNS_KEYFLAG_KSK;
 			ctx.ttl = 3600;
 			ctx.setttl = true;
+			ctx.kskflag = DNS_KEYFLAG_KSK;
 			ctx.ksk = true;
 			ctx.zsk = true;
 			ctx.lifetime = 0;
@@ -1254,15 +1264,13 @@ main(int argc, char **argv) {
 			ctx.ttl = dns_kasp_dnskeyttl(kasp);
 			ctx.setttl = true;
 
-			kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
-
-			while (kaspkey != NULL) {
+			for (kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
+			     kaspkey != NULL;
+			     kaspkey = ISC_LIST_NEXT(kaspkey, link))
+			{
 				ctx.use_nsec3 = false;
 				ctx.alg = dns_kasp_key_algorithm(kaspkey);
 				ctx.size = dns_kasp_key_size(kaspkey);
-				ctx.kskflag = dns_kasp_key_ksk(kaspkey)
-						      ? DNS_KEYFLAG_KSK
-						      : 0;
 				ctx.ksk = dns_kasp_key_ksk(kaspkey);
 				ctx.zsk = dns_kasp_key_zsk(kaspkey);
 				ctx.lifetime = dns_kasp_key_lifetime(kaspkey);
@@ -1270,10 +1278,17 @@ main(int argc, char **argv) {
 				if (ctx.keystore != NULL) {
 					check_keystore_options(&ctx);
 				}
-
+				if (ctx.ksk && ctx.kskflag == 0 &&
+				    ctx.zskflag != 0)
+				{
+					continue;
+				}
+				if (ctx.zsk && ctx.zskflag == 0 &&
+				    ctx.kskflag != 0)
+				{
+					continue;
+				}
 				keygen(&ctx, mctx, argc, argv);
-
-				kaspkey = ISC_LIST_NEXT(kaspkey, link);
 			}
 
 			dns_kasp_detach(&kasp);
diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst
index cc721e0599..2e12fe60cd 100644
--- a/bin/dnssec/dnssec-keygen.rst
+++ b/bin/dnssec/dnssec-keygen.rst
@@ -105,7 +105,13 @@ Options
 .. option:: -f flag
 
    This option sets the specified flag in the flag field of the KEY/DNSKEY record.
-   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
+   The only recognized flags are ZSK (Zone-Signing Key), KSK (Key-Signing Key)
+   and REVOKE.
+
+   Note that ZSK is not a physical flag in the DNSKEY record, it is merely used
+   to explicitly tell that you want to create a ZSK. Setting :option:`-f` in
+   conjunction with :option:`-k` will result in generating keys that only
+   match the given role set with this option.
 
 .. option:: -F
 
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index f40a45f4d7..11e9c68b01 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -44,6 +44,10 @@ Feature Changes
   ISC would like to thank Dominik Thalhammer for reporting the issue
   and preparing the initial patch. :gl:`#4416`
 
+- :iscman:`dnssec-keygen` now allows the options ``-k`` and ``-f`` to be
+  used together. This allows creating keys for a given :any:`dnssec-policy`
+  that match only the KSK (``-fK``) or ZSK (``-fZ``) role.
+
 Bug Fixes
 ~~~~~~~~~