diff --git a/Makefile b/Makefile
index ff3747b0fdc230551d1694cfd503eb7511a761f6..78d10e8282497f7d28154ccca71c8fa8b1b4753c 100644
--- a/Makefile
+++ b/Makefile
@@ -28,6 +28,7 @@ $(eval $(call find_bin,gccgo))
 $(eval $(call find_python))
 $(eval $(call find_lib,libmemcached,1.0))
 $(eval $(call find_lib,hiredis))
+$(eval $(call find_lib,libdnssec))
 
 # Work around luajit on OS X
 ifeq ($(PLATFORM), Darwin)
@@ -36,7 +37,7 @@ ifneq (,$(findstring luajit, $(lua_LIBS)))
 endif
 endif
 
-CFLAGS += $(libknot_CFLAGS) $(libuv_CFLAGS) $(cmocka_CFLAGS) $(python_CFLAGS) $(lua_CFLAGS)
+CFLAGS += $(libknot_CFLAGS) $(libuv_CFLAGS) $(cmocka_CFLAGS) $(python_CFLAGS) $(lua_CFLAGS) $(libdnssec_CFLAGS)
 
 # Sub-targets
 include help.mk
diff --git a/daemon/daemon.mk b/daemon/daemon.mk
index 6088050782d8f303670d5bc1921a30438e6ff688..0b7b0f271babe39ba98645005faabf6a80625fdd 100644
--- a/daemon/daemon.mk
+++ b/daemon/daemon.mk
@@ -19,7 +19,7 @@ daemon/engine.o: daemon/lua/sandbox.inc daemon/lua/config.inc
 
 # Dependencies
 kresd_DEPEND := $(libkres)
-kresd_LIBS := $(libkres_TARGET) $(libknot_LIBS) $(libuv_LIBS) $(lua_LIBS)
+kresd_LIBS := $(libkres_TARGET) $(libknot_LIBS) $(libdnssec_LIBS) $(libuv_LIBS) $(lua_LIBS)
 
 # Make binary
 ifeq ($(HAS_lua)|$(HAS_libuv), yes|yes)
diff --git a/daemon/main.c b/daemon/main.c
index 5f4d9fff6c28d2d519a5d0bbdb2385b31dfe7754..202abd31bdf631908ff3cde2c9eca2723119f99d 100644
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -24,6 +24,7 @@
 #include "contrib/ccan/asprintf/asprintf.h"
 #include "lib/defines.h"
 #include "lib/resolve.h"
+#include "lib/dnssec.h"
 #include "daemon/network.h"
 #include "daemon/worker.h"
 #include "daemon/engine.h"
@@ -244,6 +245,8 @@ int main(int argc, char **argv)
 		}
 	}
 
+	kr_crypto_init();
+
 	/* Fork subprocesses if requested */
 	while (--forks > 0) {
 		int pid = fork();
@@ -253,6 +256,7 @@ int main(int argc, char **argv)
 		}
 		/* Forked process */
 		if (pid == 0) {
+			kr_crypto_reinit();
 			break;
 		}
 	}
@@ -298,5 +302,6 @@ int main(int argc, char **argv)
 	if (ret != 0) {
 		ret = EXIT_FAILURE;
 	}
+	kr_crypto_cleanup();
 	return ret;
 }
diff --git a/lib/dnssec.c b/lib/dnssec.c
new file mode 100644
index 0000000000000000000000000000000000000000..e7ac4a5d4ee81072c16f266fde43e41f2c0175e1
--- /dev/null
+++ b/lib/dnssec.c
@@ -0,0 +1,36 @@
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <dnssec/crypto.h>
+
+#include "lib/dnssec.h"
+
+#define DEBUG_MSG(fmt...) fprintf(stderr, fmt)
+
+void kr_crypto_init(void)
+{
+	dnssec_crypto_init();
+}
+
+void kr_crypto_cleanup(void)
+{
+	dnssec_crypto_cleanup();
+}
+
+void kr_crypto_reinit(void)
+{
+	dnssec_crypto_reinit();
+}
diff --git a/lib/dnssec.h b/lib/dnssec.h
new file mode 100644
index 0000000000000000000000000000000000000000..a29249cc0a64252872ecbac3b4d86eb717f2470f
--- /dev/null
+++ b/lib/dnssec.h
@@ -0,0 +1,33 @@
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+/**
+ * Initialise cryptographic back-end.
+ */
+void kr_crypto_init(void);
+
+/**
+ * De-initialise cryptographic back-end.
+ */
+void kr_crypto_cleanup(void);
+
+/**
+ * Re-initialise cryptographic back-end.
+ * @note Must be called after fork() in the child.
+ */
+void kr_crypto_reinit(void);
diff --git a/lib/lib.mk b/lib/lib.mk
index a4b1bacb102f102dbe387a65f59034a0fcb28a1c..a47c67017ed7ee3b926cd381652559c9644afbba 100644
--- a/lib/lib.mk
+++ b/lib/lib.mk
@@ -11,6 +11,7 @@ libkres_SOURCES := \
 	lib/layer/validate.c   \
 	lib/layer/rrcache.c    \
 	lib/layer/pktcache.c   \
+	lib/dnssec.c           \
 	lib/utils.c            \
 	lib/nsrep.c            \
 	lib/module.c           \
@@ -24,6 +25,7 @@ libkres_HEADERS := \
 	lib/generic/map.h      \
 	lib/generic/set.h      \
 	lib/layer.h            \
+	lib/dnssec.h           \
 	lib/utils.h            \
 	lib/nsrep.h            \
 	lib/module.h           \
@@ -34,7 +36,7 @@ libkres_HEADERS := \
 
 # Dependencies
 libkres_DEPEND := 
-libkres_LIBS := $(libknot_LIBS)
+libkres_LIBS := $(libknot_LIBS) $(libdnssec_LIBS)
 libkres_TARGET := -Wl,-rpath,lib -Llib -lkres
 
 # Make library