diff --git a/dns/bind/Makefile b/dns/bind/Makefile
index 03621be6e42..269b88c4c8b 100644
--- a/dns/bind/Makefile
+++ b/dns/bind/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		bind
-PLUGIN_VERSION=		1.33
+PLUGIN_VERSION=		1.34
 PLUGIN_COMMENT=		BIND domain name service
 PLUGIN_DEPENDS=		bind920
 PLUGIN_MAINTAINER=	m.muenz@gmail.com
diff --git a/dns/bind/pkg-descr b/dns/bind/pkg-descr
index 3457965b847..57dd3b0f289 100644
--- a/dns/bind/pkg-descr
+++ b/dns/bind/pkg-descr
@@ -8,6 +8,10 @@ WWW: https://www.isc.org
 
 Plugin Changelog
 ================
+1.34
+
+* Added page for management of keys for rndc control and transfer usage (contributed by Jeremy Jeremy-Boyle)
+* Fix out of sync journal with pre-start and pre-stop scripts (contributed by Jeremy Jeremy-Boyle)
 
 1.33
 
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/KeyController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/KeyController.php
new file mode 100644
index 00000000000..33b6b0174a8
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/KeyController.php
@@ -0,0 +1,65 @@
+<?php
+
+/**
+ *    Copyright (C) 2024 Jeremy Boyle
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Bind\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+class KeyController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelName = 'key';
+    protected static $internalModelClass = '\OPNsense\Bind\Key';
+
+    public function searchKeyAction()
+    {
+        return $this->searchBase('keys.key', array("enabled", "name","algo","secret"));
+    }
+    public function getKeyAction($uuid = null)
+    {
+        $this->sessionClose();
+        return $this->getBase('key', 'keys.key', $uuid);
+    }
+    public function addKeyAction()
+    {
+        return $this->addBase('key', 'keys.key');
+    }
+    public function delKeyAction($uuid)
+    {
+        return $this->delBase('keys.key', $uuid);
+    }
+    public function setKeyAction($uuid)
+    {
+        return $this->setBase('key', 'keys.key', $uuid);
+    }
+    public function toggleKeyAction($uuid)
+    {
+        return $this->toggleBase('keys.key', $uuid);
+    }
+}
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
index 663acb0589c..2a62d870ddc 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/GeneralController.php
@@ -35,6 +35,7 @@ public function indexAction()
         $this->view->generalForm = $this->getForm("general");
         $this->view->dnsblForm = $this->getForm("dnsbl");
         $this->view->formDialogEditBindAcl = $this->getForm("dialogEditBindAcl");
+        $this->view->formDialogEditBindKey = $this->getForm("dialogEditBindKey");
         $this->view->formDialogEditBindPrimaryDomain = $this->getForm("dialogEditBindPrimaryDomain");
         $this->view->formDialogEditBindSecondaryDomain = $this->getForm("dialogEditBindSecondaryDomain");
         $this->view->formDialogEditBindRecord = $this->getForm("dialogEditBindRecord");
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindKey.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindKey.xml
new file mode 100644
index 00000000000..6a0578ecc50
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindKey.xml
@@ -0,0 +1,28 @@
+<form>
+    <field>
+        <id>key.enabled</id>
+        <label>Enabled</label>
+        <type>checkbox</type>
+        <help>This will enable or disable the key.</help>
+    </field>
+    <field>
+        <id>key.name</id>
+        <label>Name</label>
+        <type>text</type>
+        <help>Set the name for this key key.</help>
+    </field>
+    <field>
+        <id>key.algo</id>
+        <label>Algorithm</label>
+        <type>dropdown</type>
+        <advanced>true</advanced>
+        <help>Set the authentication algorithm for the key. This requires a restart of the Bind Service.</help>
+    </field>
+    <field>
+        <id>key.secret</id>
+        <label>Secret</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>The base64-encoded key. This requires a restart of the Bind Service.</help>
+    </field>
+</form>
\ No newline at end of file
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
index 8439403d18b..a7fb93ed986 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindPrimaryDomain.xml
@@ -17,11 +17,17 @@
         <type>select_multiple</type>
         <help>Define the ACLs where you allow which server can retrieve this zone.</help>
     </field>
+    <field>
+        <id>domain.allowedkeys</id>
+        <label>Allowed RNDC keys</label>
+        <type>select_multiple</type>
+        <help>Allowed RNDC keys for this zone.</help>
+    </field>
     <field>
         <id>domain.allowrndctransfer</id>
-        <label>Allow RDNC key transfer</label>
+        <label>Allow RNDC key transfer</label>
         <type>checkbox</type>
-        <help>Allow transfers via the RDNC key named "rndc-key". The key is shown in the general tab.</help>
+        <help>Allow transfers via the selected RNDC keys</help>
     </field>
     <field>
         <id>domain.allowquery</id>
@@ -31,9 +37,9 @@
     </field>
     <field>
         <id>domain.allowrndcupdate</id>
-        <label>Allow RDNC key update</label>
+        <label>Allow RNDC key update</label>
         <type>checkbox</type>
-        <help>Allow updates via the RDNC key named "rndc-key". The key is shown in the general tab.</help>
+        <help>Allow updates via the selected RNDC keys.</help>
     </field>
     <field>
         <id>domain.ttl</id>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 23e9c92026e..1b544f39efe 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -182,17 +182,17 @@
         <advanced>true</advanced>
     </field>
     <field>
-        <id>general.rndcalgo</id>
-        <label>Algorithm</label>
-        <type>dropdown</type>
+        <id>general.rndccontrolkeys</id>
+        <label>Allowed RNDC Control Keys</label>
+        <type>select_multiple</type>
+        <help>Allowed RNDC control keys</help>
         <advanced>true</advanced>
-        <help>Set the authentication algorithm for the RNDC key. This requires a restart of the Bind Service.</help>
     </field>
     <field>
-        <id>general.rndcsecret</id>
-        <label>Secret</label>
-        <type>text</type>
+        <id>general.defaultrndccontrolkey</id>
+        <label>Default RNDC Control Key</label>
+        <type>dropdown</type>
+        <help>Default RNDC control key</help>
         <advanced>true</advanced>
-        <help>The base64-encoded RNDC key. This requires a restart of the Bind Service.</help>
     </field>
 </form>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 4f885f4baee..21d7337f103 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -51,6 +51,16 @@
                     <Multiple>Y</Multiple>
                 </allowtransfer>
                 <allowrndctransfer type="BooleanField"/>
+                <allowedkeys type="ModelRelationField">
+                    <Model>
+                        <template>
+                            <source>OPNsense.Bind.Key</source>
+                            <items>keys.key</items>
+                            <display>name</display>
+                        </template>
+                    </Model>
+                    <Multiple>Y</Multiple>
+                </allowedkeys>
                 <allowquery type="ModelRelationField">
                     <Model>
                         <template>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 72e771fbc88..88bb28d4ace 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -156,7 +156,7 @@
             <Required>Y</Required>
             <asList>Y</asList>
         </ratelimitexcept>
-        <rndcalgo type="OptionField">
+        <!-- <rndcalgo type="OptionField">
             <Required>Y</Required>
             <Default>hmac-sha256</Default>
             <OptionValues>
@@ -171,6 +171,29 @@
         <rndcsecret type="Base64Field">
             <Required>Y</Required>
             <Default>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</Default>
-        </rndcsecret>
+        </rndcsecret> -->
+        <rndccontrolkeys type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Key</source>
+                    <items>keys.key</items>
+                    <display>name</display>
+                    <group>name</group>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+        </rndccontrolkeys>
+        <defaultrndccontrolkey type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Key</source>
+                    <items>keys.key</items>
+                    <display>name</display>
+                    <group>name</group>
+                </template>
+            </Model>
+            <Multiple>N</Multiple>
+            <AllowDynamic>N</AllowDynamic>
+        </defaultrndccontrolkey>
     </items>
 </model>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Key.php b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Key.php
new file mode 100644
index 00000000000..80268639ae1
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Key.php
@@ -0,0 +1,45 @@
+<?php
+
+/*
+    Copyright (C) 2024 Jeremy Boyle
+
+    All rights reserved.
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+*/
+
+namespace OPNsense\Bind;
+
+use OPNsense\Base\BaseModel;
+
+class Key extends BaseModel
+{
+    /**
+     * @param $uuid string key uuid
+     * @return mixed key
+     */
+    public function getKey($uuid)
+    {
+        foreach ($this->keys->key->iterateItems() as $key) {
+            if ($key->getAttribute('uuid') == $uuid) {
+                return $key;
+            }
+        }
+        return null;
+    }
+}
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Key.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Key.xml
new file mode 100644
index 00000000000..70461cfc392
--- /dev/null
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Key.xml
@@ -0,0 +1,42 @@
+<model>
+    <mount>//OPNsense/bind/key</mount>
+    <description>BIND KEY configuration</description>
+    <version>1.0.0</version>
+    <items>
+        <keys>
+            <key type="ArrayField">
+                <enabled type="BooleanField">
+                    <Default>1</Default>
+                    <Required>Y</Required>
+                </enabled>
+                <name type="TextField">
+                    <Required>Y</Required>
+                    <mask>/^[0-9a-zA-Z_\-]{1,32}$/u</mask>
+                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -.</ValidationMessage>
+                    <Constraints>
+                        <check001>
+                            <ValidationMessage>A Key with this name already exists.</ValidationMessage>
+                            <type>UniqueConstraint</type>
+                        </check001>
+                    </Constraints>
+                </name>
+                <algo type="OptionField">
+                    <Required>Y</Required>
+                    <Default>hmac-sha256</Default>
+                    <OptionValues>
+                        <hmac-sha512>HMAC-SHA512</hmac-sha512>
+                        <hmac-sha384>HMAC-SHA384</hmac-sha384>
+                        <hmac-sha256>HMAC-SHA256</hmac-sha256>
+                        <hmac-sha224>HMAC-SHA224</hmac-sha224>
+                        <hmac-sha1>HMAC-SHA1</hmac-sha1>
+                        <hmac-md5>HMAC-MD5</hmac-md5>
+                    </OptionValues>
+                </algo>
+                <secret type="Base64Field">
+                    <Required>Y</Required>
+                    <Default>VxtIzJevSQXqnr7h2qerrcwjnZlMWSGGFBndKeNIDfw=</Default>
+                </secret>
+            </key>
+        </keys>
+    </items>
+</model>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 0649c0eb2c8..ab37eca238e 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -31,6 +31,7 @@
     <li class="active"><a data-toggle="tab" href="#general">{{ lang._('General') }}</a></li>
     <li><a data-toggle="tab" href="#dnsbl">{{ lang._('DNSBL') }}</a></li>
     <li><a data-toggle="tab" href="#acls">{{ lang._('ACLs') }}</a></li>
+    <li><a data-toggle="tab" href="#keys">{{ lang._('Keys') }}</a></li>
     <li><a data-toggle="tab" href="#primary-domains">{{ lang._('Primary Zones') }}</a></li>
     <li><a data-toggle="tab" href="#secondary-domains">{{ lang._('Secondary Zones') }}</a></li>
 </ul>
@@ -83,6 +84,36 @@
             <br /><br />
         </div>
     </div>
+    <div id="keys" class="tab-pane fade in">
+        <div id="keys-area" class="table-responsive">
+            <table id="grid-keys" class="table table-condensed table-hover table-striped" data-editDialog="dialogEditBindKey">
+                <thead>
+                    <tr>
+                        <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                        <th data-column-id="name" data-type="string" data-visible="true">{{ lang._('Name') }}</th>
+                        <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
+                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                    </tr>
+                </thead>
+                <tbody>
+                </tbody>
+                <tfoot>
+                    <tr>
+                        <td colspan="4"></td>
+                        <td>
+                            <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                            <button data-action="deleteSelected" type="button" class="btn btn-xs btn-default"><span class="fa fa-trash-o"></span></button>
+                        </td>
+                    </tr>
+                </tfoot>
+            </table>
+        </div>
+        <div class="col-md-12">
+            <hr />
+            <button class="btn btn-primary" id="saveAct_key" type="button"><b>{{ lang._('Save') }}</b> <i id="saveAct_key_progress"></i></button>
+            <br /><br />
+        </div>
+    </div>
     <div id="primary-domains" class="tab-pane fade in">
         <div class="col-md-12">
             <h2>{{ lang._('Zones') }}</h2>
@@ -192,6 +223,7 @@
 </div>
 
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindAcl,'id':'dialogEditBindAcl','label':lang._('Edit ACL')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogEditBindKey,'id':'dialogEditBindKey','label':lang._('Edit KEY')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindPrimaryDomain,'id':'dialogEditBindPrimaryDomain','label':lang._('Edit Primary Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindSecondaryDomain,'id':'dialogEditBindSecondaryDomain','label':lang._('Edit Secondary Zone')])}}
 {{ partial("layout_partials/base_dialog",['fields':formDialogEditBindRecord,'id':'dialogEditBindRecord','label':lang._('Edit Record')])}}
@@ -362,6 +394,15 @@ $(document).ready(function() {
         'toggle': '/api/bind/acl/toggleAcl/'
     });
 
+    $("#grid-keys").UIBootgrid({
+        'search': '/api/bind/key/searchKey',
+        'get': '/api/bind/key/getKey/',
+        'set': '/api/bind/key/setKey/',
+        'add': '/api/bind/key/addKey/',
+        'del': '/api/bind/key/delKey/',
+        'toggle': '/api/bind/key/toggleKey/'
+    });
+
     $("#grid-primary-domains").UIBootgrid({
         'search': '/api/bind/domain/searchPrimaryDomain',
         'get': '/api/bind/domain/getDomain/',
@@ -492,6 +533,16 @@ $(document).ready(function() {
         });
     });
 
+    $("#saveAct_key").click(function() {
+        saveFormToEndpoint(url = "/api/bind/key/set", formid = 'frm_general_settings', callback_ok = function() {
+            $("#saveAct_key_progress").addClass("fa fa-spinner fa-pulse");
+            ajaxCall(url = "/api/bind/service/reconfigure", sendData = {}, callback = function(data, status) {
+                updateServiceControlUI('bind');
+                $("#saveAct_key_progress").removeClass("fa fa-spinner fa-pulse");
+            });
+        });
+    });
+
     $(".saveAct_domain").click(function() {
         $(".saveAct_domain_progress").addClass("fa fa-spinner fa-pulse");
         ajaxCall("/api/bind/service/reconfigure", {}, function(data, status) {
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/preStart.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/preStart.sh
new file mode 100644
index 00000000000..9ae18e6c320
--- /dev/null
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/preStart.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+# Thaw all zones before starting BIND
+/usr/local/sbin/rndc thaw
diff --git a/dns/bind/src/opnsense/scripts/OPNsense/Bind/preStop.sh b/dns/bind/src/opnsense/scripts/OPNsense/Bind/preStop.sh
new file mode 100644
index 00000000000..19ad67642fd
--- /dev/null
+++ b/dns/bind/src/opnsense/scripts/OPNsense/Bind/preStop.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+# Freeze all zones before stopping BIND
+/usr/local/sbin/rndc freeze
diff --git a/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf b/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
index c3d4a47a5e0..8324fa5266f 100644
--- a/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
+++ b/dns/bind/src/opnsense/service/conf/actions.d/actions_bind.conf
@@ -1,20 +1,20 @@
 [start]
-command:/usr/local/etc/rc.d/named start
+command:/usr/local/opnsense/scripts/OPNsense/Bind/preStart.sh; /usr/local/etc/rc.d/named start
 parameters:
 type:script
-message:starting BIND
+message:thawing all zones and starting BIND
 
 [stop]
-command:/usr/local/etc/rc.d/named stop
+command:/usr/local/opnsense/scripts/OPNsense/Bind/preStop.sh; /usr/local/etc/rc.d/named stop
 parameters:
 type:script
-message:stopping BIND
+message:freezing all zones and stopping BIND
 
 [restart]
-command:/usr/local/etc/rc.d/named restart
+command:/usr/local/opnsense/scripts/OPNsense/Bind/preStop.sh; /usr/local/etc/rc.d/named restart; /usr/local/opnsense/scripts/OPNsense/Bind/preStart.sh
 parameters:
 type:script
-message:restarting BIND
+message:freezing all zones, restarting BIND, and thawing all zones
 
 [status]
 command:/usr/local/etc/rc.d/named status; exit 0
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 6b833e19a9c..82f420a3b87 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -101,14 +101,41 @@ options {
 {% endif %}
 };
 
-{% if helpers.exists('OPNsense.bind.general.rndcalgo') and helpers.exists('OPNsense.bind.general.rndcsecret') %}
-key "rndc-key" {
-        algorithm "{{ OPNsense.bind.general.rndcalgo }}";
-        secret "{{ OPNsense.bind.general.rndcsecret }}";
+{% if helpers.exists('OPNsense.bind.key.keys.key') %}
+{%   set control_keys_list = [] %}
+
+{% for key_item in helpers.toList('OPNsense.bind.key.keys.key') %}
+{%  if key_item.enabled == '1' %}
+key "{{ key_item.name }}" {
+    algorithm "{{ key_item.algo }}";
+    secret "{{ key_item.secret }}";
 };
+{%    if helpers.exists('OPNsense.bind.general.rndccontrolkeys') %}
+{%      for control_key in OPNsense.bind.general.rndccontrolkeys.split(',') %}
+{%        if key_item['@uuid'] == control_key %}
+{%          set _ = control_keys_list.append(key_item.name) %}
+{%        endif %}
+{%      endfor %}
+{%    endif %}
+{%    if helpers.exists('OPNsense.bind.general.defaultrndccontrolkeys') %}
+{%      for default_control_key in OPNsense.bind.general.defaultrndccontrolkey %}
+{%        if key_item['@uuid'] == default_control_key %}
+{%          if key_item.name not in control_keys_list %}
+{%            set _ = control_keys_list.append(key_item.name) %}
+{%          endif %}
+{%        endif %}
+{%      endfor %}
+{%    endif %}
+{%  endif %}
+{% endfor %}
+
 controls {
-        inet 127.0.0.1 port 9530
-                allow { 127.0.0.1; } keys { "rndc-key"; };
+    inet 127.0.0.1 port 9530
+        allow { 127.0.0.1; } keys {
+            {% for key_name in control_keys_list %}
+            "{{ key_name }}";
+            {% endfor %}
+        };
 };
 {% endif %}
 
@@ -167,7 +194,14 @@ zone "{{ domain.domainname }}" {
 {%      if domain.allowtransfer is defined or (domain.allowrndctransfer is defined and domain.allowrndctransfer == "1") %}
         allow-transfer {
 {%          if domain.allowrndctransfer is defined and domain.allowrndctransfer == "1" %}
-                key "rndc-key";
+{%            if domain.allowedkeys is defined %}
+{%              for rndckey in domain.allowedkeys.split(',') %}
+{%                set transfer_key = helpers.getUUID(rndckey) %}
+{%                if  transfer_key.enabled == "1" %}
+                key "{{ transfer_key.name }}";
+{%                endif %}
+{%              endfor %}
+{%            endif %}
 {%          endif %}
 {%          if domain.allowtransfer is defined %}
 {%              for acl in domain.allowtransfer.split(',') %}
@@ -187,7 +221,14 @@ zone "{{ domain.domainname }}" {
 {%      endif %}
 {%      if domain.allowrndcupdate is defined and domain.allowrndcupdate == "1" and domain.type != 'secondary' %}
         update-policy {
-		grant rndc-key zonesub ANY;
+{%        if domain.allowedkeys is defined %}
+{%          for rndckey in domain.allowedkeys.split(',') %}
+{%            set update_key = helpers.getUUID(rndckey) %}
+{%            if  update_key.enabled == "1" %}
+          grant "{{ update_key.name }}" zonesub ANY;
+{%            endif %}
+{%          endfor %}
+{%        endif %}
         };
 {%      endif %}
 };
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf
index d4800520f14..0b9c8cc5800 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/rndc.conf
@@ -1,11 +1,12 @@
-{% if helpers.exists('OPNsense.bind.general.rndcalgo') and helpers.exists('OPNsense.bind.general.rndcsecret') %}
-key "rndc-key" {
-        algorithm "{{ OPNsense.bind.general.rndcalgo }}";
-        secret "{{ OPNsense.bind.general.rndcsecret }}";
+{% if helpers.exists('OPNsense.bind.general.defaultrndccontrolkey') and helpers.exists('OPNsense.bind.key.keys.key') %}
+{%  set key = helpers.getUUID(OPNsense.bind.general.defaultrndccontrolkey) %}
+key "{{ key.name }}" {
+        algorithm "{{ key.algo }}";
+        secret "{{ key.secret }}";
 };
 
 options {
-        default-key "rndc-key";
+        default-key "{{ key.name }}";
         default-server 127.0.0.1;
         default-port 9530;
 };