diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index 08a1476bc3..87a8d12cd8 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -71,6 +71,7 @@ DNSSEC-POLICY
   	parent-ds-ttl duration;
   	parent-propagation-delay duration;
   	publish-safety duration;
+  	purge-keys duration;
   	retire-safety duration;
   	signatures-refresh duration;
   	signatures-validity duration;
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index e23fd25060..e09b9e802b 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -26,6 +26,7 @@ dnssec-policy "test" {
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
+	purge-keys P90D;
 	retire-safety PT3600S;
 	signatures-refresh P3D;
 	signatures-validity P2W;
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 641a0054fc..bb1fadeeee 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -4980,6 +4980,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
     bits.  If it is omitted, as shown in the example for the second and
     third keys, an appropriate default size for the algorithm is used.
 
+  ``purge-keys``
+    This is the time after when DNSSEC keys that have been deleted from
+    the zone can be removed from disk. If a key still determined to have
+    presence (for example in some resolver cache), ``named`` will not
+    remove the key files.
+
+    The default is ``P90D`` (90 days). Set this option to ``0`` to never
+    purge deleted keys.
+
   ``publish-safety``
     This is a margin that is added to the pre-publication interval in
     rollover timing calculations, to give some extra time to cover
diff --git a/doc/design/dnssec-policy b/doc/design/dnssec-policy
index d8457bde08..344863e403 100644
--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@@ -135,7 +135,7 @@ dnssec-policy "nsec3" {
     publish-safety PT3600S;
     retire-safety PT3600S;
     share-keys no;
-    purge-keys-after P14D;
+    purge-keys P90D;
 
     keys {
 	ksk key-directory P5Y ECDSAP256SHA256;
diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst
index cf6545c126..c660c13a7c 100644
--- a/doc/dnssec-guide/signing.rst
+++ b/doc/dnssec-guide/signing.rst
@@ -753,9 +753,10 @@ keys. The following is an example of such a clause:
 
 The policy has multiple parts:
 
--  The name must be specified. As each zone can use a different policy, ``named`` needs to
-   be able to distinguish between policies. This is done by giving each
-   policy a name, such as ``standard`` in the above example.
+-  The name must be specified. As each zone can use a different policy,
+   ``named`` needs to be able to distinguish between policies. This is
+   done by giving each policy a name, such as ``standard`` in the above
+   example.
 
 -  The ``keys`` clause lists all keys that should be in the zone, along
    with their associated parameters. In this example, we are using the
@@ -782,7 +783,7 @@ The policy has multiple parts:
    long the signatures on the DNSKEY and non-DNSKEY records are valid,
    and how often BIND should re-sign the zone.
 
--  Finally, the parameters ending in ``-safety`` are there to give
+-  The parameters ending in ``-safety`` are there to give
    you a bit of leeway in case a key roll doesn't go to plan. When
    introduced into the zone, the ``publish-safety`` time is the amount
    of additional time, over and above that calculated from the other
@@ -792,6 +793,11 @@ The policy has multiple parts:
    other parameters, during which the old key is retained in the zone before
    being removed.
 
+-  Finally, the ``purge-keys`` option allows you to clean up key files
+   automatically after a period of time. If a key has been removed from the
+   zone, this option will determine how long its key files will be retained
+   on disk.
+
 (You do not have to specify all the items listed above in your policy
 definition. Any that are not set simply take the default value.)
 
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index a26bcf3c0b..41a3a112d9 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -110,6 +110,7 @@ dnssec\-policy string {
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
       publish\-safety duration;
+      purge\-keys duration;
       retire\-safety duration;
       signatures\-refresh duration;
       signatures\-validity duration;
diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 195516b40b..1903c472f1 100644
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -8,6 +8,7 @@ dnssec-policy "default" {
 	dnskey-ttl 3600;
 	publish-safety 1h;
 	retire-safety 1h;
+        purge-keys P90D;
 
 	// Signature timings
 	signatures-refresh 5d;
diff --git a/doc/misc/dnssec-policy.grammar.rst b/doc/misc/dnssec-policy.grammar.rst
index e826ccab4e..da4803c922 100644
--- a/doc/misc/dnssec-policy.grammar.rst
+++ b/doc/misc/dnssec-policy.grammar.rst
@@ -10,6 +10,7 @@
   	parent-ds-ttl <duration>;
   	parent-propagation-delay <duration>;
   	publish-safety <duration>;
+  	purge-keys <duration>;
   	retire-safety <duration>;
   	signatures-refresh <duration>;
   	signatures-validity <duration>;
diff --git a/doc/misc/options b/doc/misc/options
index 39da1adf99..a297bf9e00 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -32,6 +32,7 @@ dnssec-policy <string> {
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;
diff --git a/doc/misc/options.active b/doc/misc/options.active
index 9ac0f03351..c103a5e4b8 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -31,6 +31,7 @@ dnssec-policy <string> {
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;
diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index e49b01a177..d39ad80e79 100644
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -89,6 +89,7 @@ struct dns_kasp {
 	/* Configuration: Timings */
 	uint32_t publish_safety;
 	uint32_t retire_safety;
+	uint32_t purge_keys;
 
 	/* Zone settings */
 	dns_ttl_t zone_max_ttl;
@@ -109,6 +110,7 @@ struct dns_kasp {
 #define DNS_KASP_KEY_TTL	     (3600)
 #define DNS_KASP_DS_TTL		     (86400)
 #define DNS_KASP_PUBLISH_SAFETY	     (3600)
+#define DNS_KASP_PURGE_KEYS	     (86400 * 90)
 #define DNS_KASP_RETIRE_SAFETY	     (3600)
 #define DNS_KASP_ZONE_MAXTTL	     (86400)
 #define DNS_KASP_ZONE_PROPDELAY	     (300)
@@ -306,6 +308,30 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp);
+/*%<
+ * Get purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Purge keys interval.
+ */
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp);
 /*%<
diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 5a0cd30286..177b97f289 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -53,6 +53,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
 	kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
 	kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
+	kasp->purge_keys = DNS_KASP_PURGE_KEYS;
 
 	kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
 	kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
@@ -203,6 +204,22 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
 	kasp->dnskey_ttl = ttl;
 }
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->purge_keys);
+}
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->purge_keys = value;
+}
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));
diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 2dce5121e8..8f09bf0971 100644
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -442,6 +442,7 @@ dns_kasp_nsec3iter
 dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
+dns_kasp_purgekeys
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
@@ -449,6 +450,7 @@ dns_kasp_setnsec3
 dns_kasp_setnsec3param
 dns_kasp_setparentpropagationdelay
 dns_kasp_setpublishsafety
+dns_kasp_setpurgekeys
 dns_kasp_setretiresafety
 dns_kasp_setsigrefresh
 dns_kasp_setsigvalidity
diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 3e0e0874f4..b8fa1f8225 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -315,6 +315,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 						     DNS_KASP_PUBLISH_SAFETY));
 	dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
 						    DNS_KASP_RETIRE_SAFETY));
+	dns_kasp_setpurgekeys(
+		kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));
 
 	(void)confget(maps, "keys", &keys);
 	if (keys != NULL) {
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 7c29970a81..56fc96b407 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2131,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "parent-registration-delay", &cfg_type_duration,
 	  CFG_CLAUSEFLAG_OBSOLETE },
 	{ "publish-safety", &cfg_type_duration, 0 },
+	{ "purge-keys", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },
 	{ "signatures-refresh", &cfg_type_duration, 0 },
 	{ "signatures-validity", &cfg_type_duration, 0 },