diff --git a/middleware/dnssec/README.md b/middleware/dnssec/README.md
index 9845917f0..b87b25b1c 100644
--- a/middleware/dnssec/README.md
+++ b/middleware/dnssec/README.md
@@ -26,6 +26,7 @@ TODO(miek): think about key rollovers, and how to do them automatically.
 ~~~
 dnssec [ZONES... ] {
     key file KEY...
+    cache_capacity CAPACITY
 }
 ~~~
 
@@ -33,4 +34,9 @@ dnssec [ZONES... ] {
   will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
   ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.
 
+
+* `cache_capacity` indicates the capacity of the LRU cache. The dnssec middleware uses LRU cache to manage
+  objects and the default capacity is 10000.
+
+
 ## Examples
diff --git a/middleware/dnssec/setup.go b/middleware/dnssec/setup.go
index a61a42453..19a68a853 100644
--- a/middleware/dnssec/setup.go
+++ b/middleware/dnssec/setup.go
@@ -1,6 +1,7 @@
 package dnssec
 
 import (
+	"strconv"
 	"strings"
 
 	"github.com/miekg/coredns/core/dnsserver"
@@ -18,12 +19,12 @@ func init() {
 }
 
 func setup(c *caddy.Controller) error {
-	zones, keys, err := dnssecParse(c)
+	zones, keys, capacity, err := dnssecParse(c)
 	if err != nil {
 		return middleware.Error("dnssec", err)
 	}
 
-	cache, err := lru.New(defaultCap)
+	cache, err := lru.New(capacity)
 	if err != nil {
 		return err
 	}
@@ -34,10 +35,12 @@ func setup(c *caddy.Controller) error {
 	return nil
 }
 
-func dnssecParse(c *caddy.Controller) ([]string, []*DNSKEY, error) {
+func dnssecParse(c *caddy.Controller) ([]string, []*DNSKEY, int, error) {
 	zones := []string{}
 
 	keys := []*DNSKEY{}
+
+	capacity := defaultCap
 	for c.Next() {
 		if c.Val() == "dnssec" {
 			// dnssec [zones...]
@@ -49,47 +52,57 @@ func dnssecParse(c *caddy.Controller) ([]string, []*DNSKEY, error) {
 			}
 
 			for c.NextBlock() {
-				k, e := keyParse(c)
-				if e != nil {
-					return nil, nil, e
+				switch c.Val() {
+				case "key":
+					k, e := keyParse(c)
+					if e != nil {
+						return nil, nil, 0, e
+					}
+					keys = append(keys, k...)
+				case "cache_capacity":
+					if !c.NextArg() {
+						return nil, nil, 0, c.ArgErr()
+					}
+					value := c.Val()
+					cacheCap, err := strconv.Atoi(value)
+					if err != nil {
+						return nil, nil, 0, err
+					}
+					capacity = cacheCap
 				}
-				keys = append(keys, k...)
+
 			}
 		}
 	}
 	for i := range zones {
 		zones[i] = middleware.Host(zones[i]).Normalize()
 	}
-	return zones, keys, nil
+	return zones, keys, capacity, nil
 }
 
 func keyParse(c *caddy.Controller) ([]*DNSKEY, error) {
 	keys := []*DNSKEY{}
 
-	what := c.Val()
 	if !c.NextArg() {
 		return nil, c.ArgErr()
 	}
 	value := c.Val()
-	switch what {
-	case "key":
-		if value == "file" {
-			ks := c.RemainingArgs()
-			for _, k := range ks {
-				base := k
-				// Kmiek.nl.+013+26205.key, handle .private or without extension: Kmiek.nl.+013+26205
-				if strings.HasSuffix(k, ".key") {
-					base = k[:len(k)-4]
-				}
-				if strings.HasSuffix(k, ".private") {
-					base = k[:len(k)-8]
-				}
-				k, err := ParseKeyFile(base+".key", base+".private")
-				if err != nil {
-					return nil, err
-				}
-				keys = append(keys, k)
+	if value == "file" {
+		ks := c.RemainingArgs()
+		for _, k := range ks {
+			base := k
+			// Kmiek.nl.+013+26205.key, handle .private or without extension: Kmiek.nl.+013+26205
+			if strings.HasSuffix(k, ".key") {
+				base = k[:len(k)-4]
 			}
+			if strings.HasSuffix(k, ".private") {
+				base = k[:len(k)-8]
+			}
+			k, err := ParseKeyFile(base+".key", base+".private")
+			if err != nil {
+				return nil, err
+			}
+			keys = append(keys, k)
 		}
 	}
 	return keys, nil
diff --git a/middleware/dnssec/setup_test.go b/middleware/dnssec/setup_test.go
index 9dbeb77fd..3940505a9 100644
--- a/middleware/dnssec/setup_test.go
+++ b/middleware/dnssec/setup_test.go
@@ -13,19 +13,25 @@ func TestSetupDnssec(t *testing.T) {
 		shouldErr          bool
 		expectedZones      []string
 		expectedKeys       []string
+		expectedCapacity   int
 		expectedErrContent string
 	}{
 		{
-			`dnssec`, false, nil, nil, "",
+			`dnssec`, false, nil, nil, defaultCap, "",
 		},
 		{
-			`dnssec miek.nl`, false, []string{"miek.nl."}, nil, "",
+			`dnssec miek.nl`, false, []string{"miek.nl."}, nil, defaultCap, "",
+		},
+		{
+			`dnssec miek.nl {
+				cache_capacity 100
+			}`, false, []string{"miek.nl."}, nil, 100, "",
 		},
 	}
 
 	for i, test := range tests {
 		c := caddy.NewTestController("dns", test.input)
-		zones, keys, err := dnssecParse(c)
+		zones, keys, capacity, err := dnssecParse(c)
 
 		if test.shouldErr && err == nil {
 			t.Errorf("Test %d: Expected error but found %s for input %s", i, err, test.input)
@@ -51,6 +57,9 @@ func TestSetupDnssec(t *testing.T) {
 					t.Errorf("Dnssec not correctly set for input %s. Expected: '%s', actual: '%s'", test.input, k, keys[i].K.Header().Name)
 				}
 			}
+			if capacity != test.expectedCapacity {
+				t.Errorf("Dnssec not correctly set capacity for input '%s' Expected: '%d', actual: '%d'", test.input, capacity, test.expectedCapacity)
+			}
 		}
 	}
 }