diff --git a/Knot.files b/Knot.files
index e57dce2e383b34680a9d6555408d6ec7ed295347..530b1842961c02365c6bf8c4f89d5ea4b107e3a6 100644
--- a/Knot.files
+++ b/Knot.files
@@ -71,6 +71,8 @@ src/knot/dnssec/nsec-chain.c
 src/knot/dnssec/nsec-chain.h
 src/knot/dnssec/nsec3-chain.c
 src/knot/dnssec/nsec3-chain.h
+src/knot/dnssec/policy.c
+src/knot/dnssec/policy.h
 src/knot/dnssec/zone-events.c
 src/knot/dnssec/zone-events.h
 src/knot/dnssec/zone-keys.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 8f94f5cf0d8507b787b143780cfec1e288864f05..d276ac413e1f71def847de071362ecac5c60f92c 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -217,6 +217,8 @@ libknotd_la_SOURCES =				\
 	knot/dnssec/nsec-chain.h		\
 	knot/dnssec/nsec3-chain.c		\
 	knot/dnssec/nsec3-chain.h		\
+	knot/dnssec/policy.c			\
+	knot/dnssec/policy.h			\
 	knot/dnssec/zone-events.c		\
 	knot/dnssec/zone-events.h		\
 	knot/dnssec/zone-keys.c			\
diff --git a/src/knot/conf/conf.c b/src/knot/conf/conf.c
index 238045bbcc05900b37bf989d0e96f4fb5db8e321..1e3896f625f8623185f1983182f0773793dc77d7 100644
--- a/src/knot/conf/conf.c
+++ b/src/knot/conf/conf.c
@@ -584,7 +584,7 @@ conf_t *conf_new(char* path)
 	c->notify_timeout = CONFIG_NOTIFY_TIMEOUT;
 	c->dbsync_timeout = CONFIG_DBSYNC_TIMEOUT;
 	c->max_udp_payload = KNOT_EDNS_MAX_UDP_PAYLOAD;
-	c->sig_lifetime = KNOT_DNSSEC_DEFAULT_LIFETIME;
+	c->sig_lifetime = 0;
 	c->serial_policy = CONFIG_SERIAL_DEFAULT;
 	c->uid = -1;
 	c->gid = -1;
diff --git a/src/knot/conf/conf.h b/src/knot/conf/conf.h
index d6b9d0b459abe99dcadd12d9805b87ae0114cc67..45f4bab7f0ce7cebef6e2ae255a37080f094838a 100644
--- a/src/knot/conf/conf.h
+++ b/src/knot/conf/conf.h
@@ -36,7 +36,6 @@
 #include "libknot/dname.h"
 #include "libknot/rrtype/tsig.h"
 #include "libknot/dnssec/key.h"
-#include "libknot/dnssec/policy.h"
 #include "libknot/internal/lists.h"
 #include "libknot/internal/namedb/namedb.h"
 #include "knot/common/log.h"
diff --git a/src/knot/dnssec/policy.c b/src/knot/dnssec/policy.c
new file mode 100644
index 0000000000000000000000000000000000000000..ad8883e6bbb23778656eac58612fc820b6de69cb
--- /dev/null
+++ b/src/knot/dnssec/policy.c
@@ -0,0 +1,65 @@
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <assert.h>
+
+#include "knot/conf/conf.h"
+#include "knot/dnssec/context.h"
+#include "knot/zone/contents.h"
+#include "libknot/rrtype/soa.h"
+
+#define MINIMAL_RRSIG_LIFETIME (3 * 60 * 60)
+#define DEFAULT_RRSIG_LIFETIME (30 * 24 * 60 * 60)
+
+static uint32_t zone_soa_min_ttl(const zone_contents_t *zone)
+{
+	knot_rrset_t soa = node_rrset(zone->apex, KNOT_RRTYPE_SOA);
+	return knot_soa_minimum(&soa.rrs);
+}
+
+static uint32_t zone_soa_ttl(const zone_contents_t *zone)
+{
+	knot_rrset_t soa = node_rrset(zone->apex, KNOT_RRTYPE_SOA);
+	return knot_rrset_ttl(&soa);
+}
+
+void update_policy_from_zone(dnssec_kasp_policy_t *policy,
+                             const zone_contents_t *zone)
+{
+	assert(policy);
+	assert(zone);
+
+	policy->soa_minimal_ttl = zone_soa_min_ttl(zone);
+	policy->dnskey_ttl = zone_soa_ttl(zone);
+	policy->zone_maximal_ttl = 0; // TODO
+}
+
+void set_default_policy(dnssec_kasp_policy_t *policy, const conf_zone_t *config,
+                        const zone_contents_t *zone)
+{
+	if (config->sig_lifetime <= 0) {
+		policy->rrsig_lifetime = DEFAULT_RRSIG_LIFETIME;
+	} else if (config->sig_lifetime < MINIMAL_RRSIG_LIFETIME) {
+		policy->rrsig_lifetime = MINIMAL_RRSIG_LIFETIME;
+	} else {
+		policy->rrsig_lifetime = config->sig_lifetime;
+	}
+	policy->rrsig_refresh_before = policy->rrsig_lifetime / 10;
+	policy->algorithm = 0;
+	policy->propagation_delay = 0;
+
+	update_policy_from_zone(policy, zone);
+}
diff --git a/src/knot/dnssec/policy.h b/src/knot/dnssec/policy.h
new file mode 100644
index 0000000000000000000000000000000000000000..1dbec19a8e7c0bb49b25be83425b1ba766c5facc
--- /dev/null
+++ b/src/knot/dnssec/policy.h
@@ -0,0 +1,33 @@
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#pragma once
+
+#include "knot/conf/conf.h"
+#include "knot/dnssec/context.h"
+#include "knot/zone/contents.h"
+
+/*!
+ * \brief Update policy parameters depending on zone content.
+ */
+void update_policy_from_zone(dnssec_kasp_policy_t *policy,
+                             const zone_contents_t *zone);
+
+/*!
+ * \brief Set default DNSSEC policy for zone without assigned policy.
+ */
+void set_default_policy(dnssec_kasp_policy_t *policy, const conf_zone_t *config,
+                        const zone_contents_t *zone);