diff --git a/internal/db/models/nameservers/ns_domain_dao.go b/internal/db/models/nameservers/ns_domain_dao.go
index c50cbc57..13e417b4 100644
--- a/internal/db/models/nameservers/ns_domain_dao.go
+++ b/internal/db/models/nameservers/ns_domain_dao.go
@@ -194,3 +194,42 @@ func (this *NSDomainDAO) FindDomainIdWithName(tx *dbs.Tx, clusterId int64, name
 		ResultPk().
 		FindInt64Col(0)
 }
+
+// FindEnabledDomainTSIG 获取TSIG配置
+func (this *NSDomainDAO) FindEnabledDomainTSIG(tx *dbs.Tx, domainId int64) ([]byte, error) {
+	tsig, err := this.Query(tx).
+		Pk(domainId).
+		Result("tsig").
+		FindStringCol("")
+	if err != nil {
+		return nil, err
+	}
+	return []byte(tsig), nil
+}
+
+// UpdateDomainTSIG 修改TSIG配置
+func (this *NSDomainDAO) UpdateDomainTSIG(tx *dbs.Tx, domainId int64, tsigJSON []byte) error {
+	version, err := this.IncreaseVersion(tx)
+	if err != nil {
+		return err
+	}
+
+	return this.Query(tx).
+		Pk(domainId).
+		Set("tsig", tsigJSON).
+		Set("version", version).
+		UpdateQuickly()
+}
+
+// NotifyUpdate 通知更改
+func (this *NSDomainDAO) NotifyUpdate(tx *dbs.Tx, domainId int64) error {
+	version, err := this.IncreaseVersion(tx)
+	if err != nil {
+		return err
+	}
+
+	return this.Query(tx).
+		Pk(domainId).
+		Set("version", version).
+		UpdateQuickly()
+}
diff --git a/internal/db/models/nameservers/ns_key_dao.go b/internal/db/models/nameservers/ns_key_dao.go
index f5bfb7e4..4decd932 100644
--- a/internal/db/models/nameservers/ns_key_dao.go
+++ b/internal/db/models/nameservers/ns_key_dao.go
@@ -1,6 +1,7 @@
 package nameservers
 
 import (
+	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	"github.com/TeaOSLab/EdgeCommon/pkg/dnsconfigs"
 	_ "github.com/go-sql-driver/mysql"
@@ -44,12 +45,15 @@ func (this *NSKeyDAO) EnableNSKey(tx *dbs.Tx, id int64) error {
 }
 
 // DisableNSKey 禁用条目
-func (this *NSKeyDAO) DisableNSKey(tx *dbs.Tx, id int64) error {
+func (this *NSKeyDAO) DisableNSKey(tx *dbs.Tx, keyId int64) error {
 	_, err := this.Query(tx).
-		Pk(id).
+		Pk(keyId).
 		Set("state", NSKeyStateDisabled).
 		Update()
-	return err
+	if err != nil {
+		return err
+	}
+	return this.NotifyUpdate(tx, keyId)
 }
 
 // FindEnabledNSKey 查找启用中的条目
@@ -82,7 +86,17 @@ func (this *NSKeyDAO) CreateKey(tx *dbs.Tx, domainId int64, zoneId int64, name s
 	op.Secret = secret
 	op.SecretType = secretType
 	op.State = NSKeyStateEnabled
-	return this.SaveInt64(tx, op)
+	keyId, err := this.SaveInt64(tx, op)
+	if err != nil {
+		return 0, err
+	}
+
+	err = this.NotifyUpdate(tx, keyId)
+	if err != nil {
+		return keyId, err
+	}
+
+	return keyId, nil
 }
 
 // UpdateKey 修改Key
@@ -97,7 +111,11 @@ func (this *NSKeyDAO) UpdateKey(tx *dbs.Tx, keyId int64, name string, algo dnsco
 	op.Secret = secret
 	op.SecretType = secretType
 	op.IsOn = isOn
-	return this.Save(tx, op)
+	err := this.Save(tx, op)
+	if err != nil {
+		return err
+	}
+	return this.NotifyUpdate(tx, keyId)
 }
 
 // CountEnabledKeys 计算Key的数量
@@ -125,6 +143,28 @@ func (this *NSKeyDAO) ListEnabledKeys(tx *dbs.Tx, domainId int64, zoneId int64,
 	}
 	_, err = query.
 		DescPk().
+		Offset(offset).
+		Limit(size).
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// IncreaseVersion 增加版本
+func (this *NSKeyDAO) IncreaseVersion(tx *dbs.Tx) (int64, error) {
+	return models.SharedSysLockerDAO.Increase(tx, "NS_KEY_VERSION", 1)
+}
+
+// ListKeysAfterVersion 列出某个版本后的密钥
+func (this *NSKeyDAO) ListKeysAfterVersion(tx *dbs.Tx, version int64, size int64) (result []*NSKey, err error) {
+	if size <= 0 {
+		size = 10000
+	}
+
+	_, err = this.Query(tx).
+		Gte("version", version).
+		Limit(size).
+		Asc("version").
 		Slice(&result).
 		FindAll()
 	return
@@ -132,6 +172,12 @@ func (this *NSKeyDAO) ListEnabledKeys(tx *dbs.Tx, domainId int64, zoneId int64,
 
 // NotifyUpdate 通知更新
 func (this *NSKeyDAO) NotifyUpdate(tx *dbs.Tx, keyId int64) error {
-	// TODO 需要实现
-	return nil
+	version, err := this.IncreaseVersion(tx)
+	if err != nil {
+		return err
+	}
+	return this.Query(tx).
+		Pk(keyId).
+		Set("version", version).
+		UpdateQuickly()
 }
diff --git a/internal/db/models/nameservers/ns_key_model.go b/internal/db/models/nameservers/ns_key_model.go
index 37b754b3..d3e51f88 100644
--- a/internal/db/models/nameservers/ns_key_model.go
+++ b/internal/db/models/nameservers/ns_key_model.go
@@ -10,6 +10,7 @@ type NSKey struct {
 	Algo       string `field:"algo"`       // 算法
 	Secret     string `field:"secret"`     // 密码
 	SecretType string `field:"secretType"` // 密码类型
+	Version    uint64 `field:"version"`    // 版本号
 	State      uint8  `field:"state"`      // 状态
 }
 
@@ -22,6 +23,7 @@ type NSKeyOperator struct {
 	Algo       interface{} // 算法
 	Secret     interface{} // 密码
 	SecretType interface{} // 密码类型
+	Version    interface{} // 版本号
 	State      interface{} // 状态
 }
 
diff --git a/internal/rpc/services/nameservers/service_ns_domain.go b/internal/rpc/services/nameservers/service_ns_domain.go
index 74ceca7b..7ce19ffd 100644
--- a/internal/rpc/services/nameservers/service_ns_domain.go
+++ b/internal/rpc/services/nameservers/service_ns_domain.go
@@ -108,6 +108,7 @@ func (this *NSDomainService) FindEnabledNSDomain(ctx context.Context, req *pb.Fi
 			Id:        int64(domain.Id),
 			Name:      domain.Name,
 			IsOn:      domain.IsOn == 1,
+			TsigJSON:  []byte(domain.Tsig),
 			CreatedAt: int64(domain.CreatedAt),
 			NsCluster: &pb.NSCluster{
 				Id:   int64(cluster.Id),
@@ -179,6 +180,7 @@ func (this *NSDomainService) ListEnabledNSDomains(ctx context.Context, req *pb.L
 			Name:      domain.Name,
 			IsOn:      domain.IsOn == 1,
 			CreatedAt: int64(domain.CreatedAt),
+			TsigJSON:  []byte(domain.Tsig),
 			NsCluster: &pb.NSCluster{
 				Id:   int64(cluster.Id),
 				IsOn: cluster.IsOn == 1,
@@ -200,7 +202,10 @@ func (this *NSDomainService) ListNSDomainsAfterVersion(ctx context.Context, req
 
 	// 集群ID
 	var tx = this.NullTx()
-	domains, err := nameservers.SharedNSDomainDAO.ListDomainsAfterVersion(tx, req.Version, 2000)
+	if req.Size <= 0 {
+		req.Size = 2000
+	}
+	domains, err := nameservers.SharedNSDomainDAO.ListDomainsAfterVersion(tx, req.Version, req.Size)
 	if err != nil {
 		return nil, err
 	}
@@ -213,9 +218,40 @@ func (this *NSDomainService) ListNSDomainsAfterVersion(ctx context.Context, req
 			IsOn:      domain.IsOn == 1,
 			IsDeleted: domain.State == nameservers.NSDomainStateDisabled,
 			Version:   int64(domain.Version),
+			TsigJSON:  []byte(domain.Tsig),
 			NsCluster: &pb.NSCluster{Id: int64(domain.ClusterId)},
 			User:      nil,
 		})
 	}
 	return &pb.ListNSDomainsAfterVersionResponse{NsDomains: pbDomains}, nil
 }
+
+// FindEnabledNSDomainTSIG 查找TSIG配置
+func (this *NSDomainService) FindEnabledNSDomainTSIG(ctx context.Context, req *pb.FindEnabledNSDomainTSIGRequest) (*pb.FindEnabledNSDomainTSIGResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	tsig, err := nameservers.SharedNSDomainDAO.FindEnabledDomainTSIG(tx, req.NsDomainId)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.FindEnabledNSDomainTSIGResponse{TsigJSON: tsig}, nil
+}
+
+// UpdateNSDomainTSIG 修改TSIG配置
+func (this *NSDomainService) UpdateNSDomainTSIG(ctx context.Context, req *pb.UpdateNSDomainTSIGRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	err = nameservers.SharedNSDomainDAO.UpdateDomainTSIG(tx, req.NsDomainId, req.TsigJSON)
+	if err != nil {
+		return nil, err
+	}
+	return this.Success()
+}
diff --git a/internal/rpc/services/nameservers/service_ns_key.go b/internal/rpc/services/nameservers/service_ns_key.go
index d6364e3e..f18e3d16 100644
--- a/internal/rpc/services/nameservers/service_ns_key.go
+++ b/internal/rpc/services/nameservers/service_ns_key.go
@@ -125,3 +125,46 @@ func (this *NSKeyService) ListEnabledNSKeys(ctx context.Context, req *pb.ListEna
 	}
 	return &pb.ListEnabledNSKeysResponse{NsKeys: pbKeys}, nil
 }
+
+// ListNSKeysAfterVersion 根据版本列出一组密钥
+func (this *NSKeyService) ListNSKeysAfterVersion(ctx context.Context, req *pb.ListNSKeysAfterVersionRequest) (*pb.ListNSKeysAfterVersionResponse, error) {
+	_, err := this.ValidateNSNode(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	var tx = this.NullTx()
+	if req.Size <= 0 {
+		req.Size = 2000
+	}
+	keys, err := nameservers.SharedNSKeyDAO.ListKeysAfterVersion(tx, req.Version, req.Size)
+	if err != nil {
+		return nil, err
+	}
+	var pbKeys = []*pb.NSKey{}
+	for _, key := range keys {
+		var pbDomain *pb.NSDomain
+		var pbZone *pb.NSZone
+
+		if key.DomainId > 0 {
+			pbDomain = &pb.NSDomain{Id: int64(key.DomainId)}
+		}
+		if key.ZoneId > 0 {
+			pbZone = &pb.NSZone{Id: int64(key.ZoneId)}
+		}
+
+		pbKeys = append(pbKeys, &pb.NSKey{
+			Id:         int64(key.Id),
+			IsOn:       key.IsOn == 1,
+			Name:       "",
+			Algo:       key.Algo,
+			Secret:     key.Secret,
+			SecretType: key.SecretType,
+			IsDeleted:  key.State == nameservers.NSKeyStateDisabled,
+			Version:    int64(key.Version),
+			NsDomain:   pbDomain,
+			NsZone:     pbZone,
+		})
+	}
+	return &pb.ListNSKeysAfterVersionResponse{NsKeys: pbKeys}, nil
+}
diff --git a/internal/rpc/services/nameservers/service_ns_record.go b/internal/rpc/services/nameservers/service_ns_record.go
index d31448c7..570e5dcb 100644
--- a/internal/rpc/services/nameservers/service_ns_record.go
+++ b/internal/rpc/services/nameservers/service_ns_record.go
@@ -193,7 +193,10 @@ func (this *NSRecordService) ListNSRecordsAfterVersion(ctx context.Context, req
 
 	// 集群ID
 	var tx = this.NullTx()
-	records, err := nameservers.SharedNSRecordDAO.ListRecordsAfterVersion(tx, req.Version, 2000)
+	if req.Size <= 0 {
+		req.Size = 2000
+	}
+	records, err := nameservers.SharedNSRecordDAO.ListRecordsAfterVersion(tx, req.Version, req.Size)
 	if err != nil {
 		return nil, err
 	}