diff --git a/Dockerfile b/Dockerfile
index 72c9ed6..0ea6642 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@ ARG BASE_IMAGE=gitea.nulo.in/sutty/monit
 FROM ${BASE_IMAGE}:${ALPINE_VERSION}
 LABEL org.opencontainers.image.authors="f@sutty.nl"
 
-RUN apk add --no-cache opendkim mini-sendmail
+RUN apk add --no-cache opendkim opendkim-utils mini-sendmail drill
 
 COPY ./monit.conf /etc/monit.d/opendkim.conf
 COPY ./opendkimd.sh /usr/local/bin/opendkimd
diff --git a/opendkimd.sh b/opendkimd.sh
index 2bd6b54..7537800 100755
--- a/opendkimd.sh
+++ b/opendkimd.sh
@@ -1,6 +1,19 @@
 #!/bin/sh
 
 pid=/tmp/opendkim.pid
+dir=/etc/opendkim
+key=$dir/key_table
+sig=$dir/signing_table
+
+SUTTY="${SUTTY:-${DOMAIN#*.}}"
+
+ok() {
+  logger -s -t $0 "ok - $@"
+}
+
+not_ok() {
+  logger -s -t $0 "not ok - $@"
+}
 
 case $1 in
   stop)
@@ -9,12 +22,71 @@ case $1 in
     ;;
   start)
     install -dm 2750 -o opendkim -g opendkim /run/opendkim
+    touch $key $sig
     chown -R opendkim:opendkim /etc/opendkim
 
     /usr/sbin/opendkim
     ;;
   rotate)
-    test -f $pid || exit 0
-    test $pid -ot /etc/opendkim/dkim.private && cat $pid | xargs -r kill -USR1
+    node="${DOMAIN%%.*}"
+    date="`date +%Y%m`"
+    selc="${date}${node}"
+    pkey="${dir}/${selc}.private"
+    tkey="${dir}/${selc}.txt"
+    dkey="$selc._domainkey.$SUTTY"
+
+    # Do nothing if it already exists
+    test -f "$pkey" && exit 0
+
+    # Remove old keys later
+    prev="`find $dir -name "*.private" -o -name "*.txt"`"
+
+    ok "Generating new keys for selector ${selc}"
+    opendkim-genkey --directory=$dir  --selector=$selc --subdomains --domain=$SUTTY
+
+    # Discard previous keys
+    echo "$dkey $SUTTY:$selc:$pkey" > $key
+    echo "$SUTTY $dkey" > $sig
+
+    txt="`cat $tkey | tr -d "\n" | cut -d '"' -f 2,4 | tr -d '"' | tr -d " "`"
+
+    # Craft record
+    cat >/tmp/dns <<DNS
+server knot.$node
+zone _domainkey.${SUTTY}.
+origin _domainkey.${SUTTY}.
+ttl 60
+del ${dkey}. TXT
+add ${dkey}. TXT "${txt}"
+send
+quit
+DNS
+
+    # Register the TXT record on every nameserver. Log failures but
+    # continue anyway.
+    ok "Registering public key records"
+    for node in `drill -Q ns $SUTTY`; do
+      if knsupdate /tmp/dns; then
+        ok "Registered public key record at ${node}"
+      else
+        not_ok "Registered public key record at ${node}"
+      fi
+
+      if drill -Q @${node} txt ${dkey} | grep -q "${txt}"; then
+        ok "Registered correctly"
+      else
+        not_ok "Couldn't query ${dkey} at ${node}!"
+      fi
+    done
+
+    if test -n "$prev"; then
+      ok "Pruning old keypairs"
+      rm -f $prev
+    fi
+
+    if test -f $pid ; then
+      ok "Reloading"
+      cat $pid | xargs -r kill -USR1
+    fi
     ;;
 esac