diff --git a/NEWS b/NEWS
index 1c115b1fa..d84537d35 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,13 @@
+Knot Resolver 6.0.9 (2024-mm-dd)
+================================
+
+Improvements
+------------
+
+- manager: secret for TLS session resumption via ticket (RFC5077) (!1567)
+
+  The manager creates and sets the secret for all running 'kresd' workers. The secret is created automatically if the user does not configure his own secret in the configuration. This means that the workers will be able to resume each other's TLS sessions, regardless of whether the user has configured it to do so.
+
 Knot Resolver 6.0.8 (2024-07-23)
 ================================
 
diff --git a/manager/knot_resolver_manager/kres_manager.py b/manager/knot_resolver_manager/kres_manager.py
index 1090ad5db..f916dfaaa 100644
--- a/manager/knot_resolver_manager/kres_manager.py
+++ b/manager/knot_resolver_manager/kres_manager.py
@@ -2,6 +2,7 @@
 import logging
 import sys
 import time
+from secrets import token_hex
 from subprocess import SubprocessError
 from typing import Any, Callable, List, Optional
 
@@ -148,6 +149,11 @@ def config_nodes(config: KresConfig) -> List[Any]:
         # register callback to reset policy rules for each 'kresd' worker
         await config_store.register_on_change_callback(self.reset_workers_policy_rules)
 
+        # register and immediately call a callback to set new TLS session ticket secret for 'kresd' workers
+        await config_store.register_on_change_callback(
+            only_on_real_changes_update(config_nodes)(self.set_new_tls_sticket_secret)
+        )
+
         # register controller config change listeners
         await config_store.register_verifier(_deny_max_worker_changes)
 
@@ -254,6 +260,20 @@ async def reset_workers_policy_rules(self, _config: KresConfig) -> None:
                 " the workers are already running with new configuration"
             )
 
+    async def set_new_tls_sticket_secret(self, config: KresConfig) -> None:
+
+        if config.network.tls.sticket_secret or config.network.tls.sticket_secret_file:
+            logger.debug("User-configured TLS resumption secret found - skipping auto-generation.")
+            return
+
+        logger.debug("Creating TLS session ticket secret")
+        secret = token_hex(32)
+        logger.debug("Setting TLS session ticket secret for all running 'kresd' workers")
+        cmd_results = await command_registered_workers(f"net.tls_sticket_secret('{secret}')")
+        for worker, res in cmd_results.items():
+            if res not in (0, True):
+                logger.error("Failed to set TLS session ticket secret in %s: %s", worker, res)
+
     async def apply_config(self, config: KresConfig, _noretry: bool = False) -> None:
         try:
             async with self._manager_lock: