diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c
index f21660553c90ae85f56b4c263e57d3f693446c49..33c97135fb65ad9476c598dbde8a63e4ae242132 100644
--- a/src/knot/dnssec/zone-keys.c
+++ b/src/knot/dnssec/zone-keys.c
@@ -107,6 +107,36 @@ static void set_zone_key_flags(const knot_key_params_t *params,
 	                 (params->time_delete == 0 || now < params->time_delete);
 }
 
+/*!
+ * \brief Enable STSS if all keys are KSK/ZSK exclusively.
+ *
+ * \return STSS was enabled.
+ */
+static bool enable_single_type_signing(knot_zone_keys_t *keys)
+{
+	assert(keys);
+
+	int num_keys = 0;
+	int num_zone = 0;
+
+	knot_zone_key_t *key = NULL;
+	WALK_LIST(key, keys->list) {
+		if (key->is_ksk) { num_keys += 1; }
+		if (key->is_zsk) { num_zone += 1; }
+	}
+
+	if ((num_keys + num_zone == 0) || (num_keys > 0 && num_zone > 0)) {
+		return false;
+	}
+
+	WALK_LIST(key, keys->list) {
+		key->is_ksk = true;
+		key->is_zsk = true;
+	}
+
+	return true;
+}
+
 /*!
  * \brief Check if there is a functional KSK and ZSK for each used algorithm.
  */
@@ -281,6 +311,10 @@ int knot_load_zone_keys(const char *keydir_name, const knot_dname_t *zone_name,
 
 	closedir(keydir);
 
+	if (enable_single_type_signing(keys)) {
+		log_zone_info(zone_name, "DNSSEC, using Single-Type Signing Scheme");
+	}
+
 	if (result == KNOT_EOK) {
 		result = check_keys_validity(keys);
 	}