diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire1.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire1.wire
new file mode 100644
index 0000000000..e8ee944cc9
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire1.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire1.spec
+###
+
+# TKEY RDATA, RDLEN=58
+003a
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire2.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire2.wire
new file mode 100644
index 0000000000..614844f0d1
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire2.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire2.spec
+###
+
+# TKEY RDATA, RDLEN=66
+0042
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=8 Other-Data=(see hex)
+0008 6162636430313233
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire3.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire3.wire
new file mode 100644
index 0000000000..df27910614
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire3.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire3.spec
+###
+
+# TKEY RDATA, RDLEN=34
+0022
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=0 Key=(see hex)
+0000
+# Other-Len=8 Other-Data=(see hex)
+0008 6162636430313233
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire4.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire4.wire
new file mode 100644
index 0000000000..550052e2d5
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire4.wire
@@ -0,0 +1,17 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire4.spec
+###
+
+# DNS Name: gss-tsig
+086773732d7473696700
+
+# TKEY RDATA, RDLEN=50
+0032
+# Algorithm=ptr=0
+c000
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire5.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire5.wire
new file mode 100644
index 0000000000..fa325667e9
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire5.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire5.spec
+###
+
+# TKEY RDATA, RDLEN=57
+0039
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire6.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire6.wire
new file mode 100644
index 0000000000..7f5f11204d
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire6.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire6.spec
+###
+
+# TKEY RDATA, RDLEN=60
+003c
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire7.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire7.wire
new file mode 100644
index 0000000000..73b277cf7e
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire7.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire7.spec
+###
+
+# TKEY RDATA, RDLEN=117
+0075
+# Algorithm="01234567890123456789012345678901234567890123456789012345678901234"
+432230313233343536373839303132333435363738393031323334353637383930313233343536373839303132333435363738393031323334353637383930313233342200
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire8.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire8.wire
new file mode 100644
index 0000000000..abeb95b572
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire8.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire8.spec
+###
+
+# TKEY RDATA, RDLEN=38
+0026
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=65535 Key=(see hex)
+ffff 2264756d6d79206461746122
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_fromWire9.wire b/src/lib/dns/tests/testdata/rdata_tkey_fromWire9.wire
new file mode 100644
index 0000000000..8e5f9434ae
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_fromWire9.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_fromWire9.spec
+###
+
+# TKEY RDATA, RDLEN=58
+003a
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=32 Key=(see hex)
+0020 7878787878787878787878787878787878787878787878787878787878787878
+# Other-Len=65535 Other-Data=(see hex)
+ffff
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_toWire1.wire b/src/lib/dns/tests/testdata/rdata_tkey_toWire1.wire
new file mode 100644
index 0000000000..3f49a69e81
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_toWire1.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_toWire1.spec
+###
+
+# TKEY RDATA, RDLEN=26
+001a
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=0 Key=(see hex)
+0000
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_toWire2.wire b/src/lib/dns/tests/testdata/rdata_tkey_toWire2.wire
new file mode 100644
index 0000000000..a1fdb9a2d5
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_toWire2.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_toWire2.spec
+###
+
+# TKEY RDATA, RDLEN=38
+0026
+# Algorithm=GSS-TSIG
+084753532d5453494700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=16
+608d42c0 608d50d0 0003 0010
+# Key Len=12 Key=(see hex)
+000c 140284140284140284140284
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_toWire3.wire b/src/lib/dns/tests/testdata/rdata_tkey_toWire3.wire
new file mode 100644
index 0000000000..f2f8a6f6e6
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_toWire3.wire
@@ -0,0 +1,14 @@
+###
+### This data file was auto-generated from rdata_tkey_toWire3.spec
+###
+
+# TKEY RDATA, RDLEN=44
+002c
+# Algorithm=gss.tsig
+03677373047473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=16
+608d42c0 608d50d0 0003 0010
+# Key Len=12 Key=(see hex)
+000c 140284140284140284140284
+# Other-Len=6 Other-Data=(see hex)
+0006 140284140284
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_toWire4.wire b/src/lib/dns/tests/testdata/rdata_tkey_toWire4.wire
new file mode 100644
index 0000000000..81a1443a3b
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_toWire4.wire
@@ -0,0 +1,17 @@
+###
+### This data file was auto-generated from rdata_tkey_toWire4.spec
+###
+
+# DNS Name: gss-tsig
+086773732d7473696700
+
+# TKEY RDATA, RDLEN=26
+001a
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=0 Key=(see hex)
+0000
+# Other-Len=0 Other-Data=(see hex)
+0000
diff --git a/src/lib/dns/tests/testdata/rdata_tkey_toWire5.wire b/src/lib/dns/tests/testdata/rdata_tkey_toWire5.wire
new file mode 100644
index 0000000000..e59a1f0c72
--- /dev/null
+++ b/src/lib/dns/tests/testdata/rdata_tkey_toWire5.wire
@@ -0,0 +1,17 @@
+###
+### This data file was auto-generated from rdata_tkey_toWire5.spec
+###
+
+# TKEY RDATA, RDLEN=26
+001a
+# Algorithm=gss-tsig
+086773732d7473696700
+# Inception=1619870400 Expire=1619874000 Mode=3 Error=0
+608d42c0 608d50d0 0003 0000
+# Key Len=0 Key=(see hex)
+0000
+# Other-Len=0 Other-Data=(see hex)
+0000
+
+# DNS Name: ptr=2
+c002
diff --git a/src/lib/dns/tests/tsigkey_unittest.cc b/src/lib/dns/tests/tsigkey_unittest.cc
index 076d499d53..90c59ac112 100644
--- a/src/lib/dns/tests/tsigkey_unittest.cc
+++ b/src/lib/dns/tests/tsigkey_unittest.cc
@@ -1,4 +1,4 @@
-// Copyright (C) 2010-2019 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2021-2019 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -40,6 +40,7 @@ TEST_F(TSIGKeyTest, algorithmNames) {
     EXPECT_EQ(Name("hmac-sha224"), TSIGKey::HMACSHA224_NAME());
     EXPECT_EQ(Name("hmac-sha384"), TSIGKey::HMACSHA384_NAME());
     EXPECT_EQ(Name("hmac-sha512"), TSIGKey::HMACSHA512_NAME());
+    EXPECT_EQ(Name("gss-tsig"), TSIGKey::GSSTSIG_NAME());
 
     // Also check conversion to cryptolink definitions
     EXPECT_EQ(isc::cryptolink::MD5, TSIGKey(key_name, TSIGKey::HMACMD5_NAME(),
diff --git a/src/lib/dns/tsigkey.cc b/src/lib/dns/tsigkey.cc
index ff355d4fa4..6f7421e55f 100644
--- a/src/lib/dns/tsigkey.cc
+++ b/src/lib/dns/tsigkey.cc
@@ -1,4 +1,4 @@
-// Copyright (C) 2010-2015 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2010-2021 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -300,6 +300,12 @@ Name& TSIGKey::HMACSHA512_NAME() {
     return (alg_name);
 }
 
+const
+Name& TSIGKey::GSSTSIG_NAME() {
+    static Name alg_name("gss-tsig");
+    return (alg_name);
+}
+
 struct TSIGKeyRing::TSIGKeyRingImpl {
     typedef map<Name, TSIGKey> TSIGKeyMap;
     typedef pair<Name, TSIGKey> NameAndKey;
diff --git a/src/lib/dns/tsigkey.h b/src/lib/dns/tsigkey.h
index 2b8e3d6cf2..1380319c5f 100644
--- a/src/lib/dns/tsigkey.h
+++ b/src/lib/dns/tsigkey.h
@@ -1,4 +1,4 @@
-// Copyright (C) 2010-2015 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2010-2021 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -216,6 +216,7 @@ public:
     static const Name& HMACSHA224_NAME(); ///< HMAC-SHA256 (RFC4635)
     static const Name& HMACSHA384_NAME(); ///< HMAC-SHA256 (RFC4635)
     static const Name& HMACSHA512_NAME(); ///< HMAC-SHA256 (RFC4635)
+    static const Name& GSSTSIG_NAME();    ///< GSS-TSIG (RFC3645)
     //@}
 
 private: