diff --git a/dnsapi/README.md b/dnsapi/README.md
index 891417f3..e19179aa 100644
--- a/dnsapi/README.md
+++ b/dnsapi/README.md
@@ -147,6 +147,14 @@ export NSUPDATE_SERVER="dns.example.com"
 export NSUPDATE_KEY="/path/to/your/nsupdate.key"
 ```
 
+If you want to use multiple update keys you can create a keyfolder and tell acme.sh to use it.
+Acme.sh then tries to use the key file `${NSUPDATE_KEYDIR}/example.com.key`. If there is none it falls back to the default `NSUPDATE_KEY`.
+
+```
+mkdir ~/.acme.sh/keys
+export NSUPDATE_KEYDIR="~/.acme.sh/keys"
+```
+
 Ok, let's issue a cert now:
 ```
 acme.sh --issue --dns dns_nsupdate -d example.com -d www.example.com
diff --git a/dnsapi/dns_nsupdate.sh b/dnsapi/dns_nsupdate.sh
index 555f4d29..ddf9875d 100755
--- a/dnsapi/dns_nsupdate.sh
+++ b/dnsapi/dns_nsupdate.sh
@@ -6,16 +6,23 @@
 dns_nsupdate_add() {
   fulldomain=$1
   txtvalue=$2
-  _checkKeyFile || return 1
+  basedomain=$(echo "$fulldomain" | sed -e 's/^.*\.\(.*\..*\)$/\1/')
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
-  # save the dns server and key to the account conf file.
+  [ -n "${NSUPDATE_KEYDIR}" ] || NSUPDATE_KEYDIR="${LE_WORKING_DIR}/keys"
+  # save the dns server, keydir and key to the account conf file.
   _saveaccountconf NSUPDATE_SERVER "${NSUPDATE_SERVER}"
   _saveaccountconf NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}"
   _saveaccountconf NSUPDATE_KEY "${NSUPDATE_KEY}"
+  _saveaccountconf NSUPDATE_KEYDIR "${NSUPDATE_KEYDIR}"
+  if [ -r "${NSUPDATE_KEYDIR}/${basedomain}.key" ]; then
+    NSUPDATE_KEY="${NSUPDATE_KEYDIR}/${basedomain}.key"
+    _info "using non default key ${NSUPDATE_KEYDIR}/${basedomain}.key"
+  fi
+  _checkKeyFile || return 1
   _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
   nsupdate -k "${NSUPDATE_KEY}" <<EOF
-server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} 
 update add ${fulldomain}. 60 in txt "${txtvalue}"
 send
 EOF
@@ -30,12 +37,18 @@ EOF
 #Usage: dns_nsupdate_rm   _acme-challenge.www.domain.com
 dns_nsupdate_rm() {
   fulldomain=$1
-  _checkKeyFile || return 1
+  basedomain=$(echo "$fulldomain" | sed -e 's/^.*\.\(.*\..*\)$/\1/')
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
+  [ -n "${NSUPDATE_KEYDIR}" ] || NSUPDATE_KEYDIR="${LE_WORKING_DIR}/keys"
+  if [ -r "${NSUPDATE_KEYDIR}/${basedomain}.key" ]; then
+    NSUPDATE_KEY="${NSUPDATE_KEYDIR}/${basedomain}.key"
+    _info "using non default key ${NSUPDATE_KEYDIR}/${basedomain}.key"
+  fi
+  _checkKeyFile || return 1
   _info "removing ${fulldomain}. txt"
   nsupdate -k "${NSUPDATE_KEY}" <<EOF
-server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT} 
+server ${NSUPDATE_SERVER} ${NSUPDATE_SERVER_PORT} 
 update delete ${fulldomain}. txt
 send
 EOF