diff --git a/sys/netipsec/key.h b/sys/netipsec/key.h
--- a/sys/netipsec/key.h
+++ b/sys/netipsec/key.h
@@ -80,10 +80,6 @@
 extern u_long key_random(void);
 extern void key_freereg(struct socket *);
 extern int key_parse(struct mbuf *, struct socket *);
-extern void key_init(void);
-#ifdef VIMAGE
-extern void key_destroy(void);
-#endif
 extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
 uint16_t key_portfromsaddr(struct sockaddr *);
 void key_porttosaddr(struct sockaddr *, uint16_t port);
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -8300,8 +8300,9 @@
 	}
 }
 #endif
-void
-key_init(void)
+
+static void
+key_vnet_init(void *arg __unused)
 {
 	int i;
 
@@ -8327,9 +8328,13 @@
 
 	LIST_INIT(&V_acqtree);
 	LIST_INIT(&V_spacqtree);
+}
+VNET_SYSINIT(key_vnet_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND,
+    key_vnet_init, NULL);
 
-	if (!IS_DEFAULT_VNET(curvnet))
-		return;
+static void
+key_init(void *arg __unused)
+{
 
 	ipsec_key_lft_zone = uma_zcreate("IPsec SA lft_c",
 	    sizeof(uint64_t) * 2, NULL, NULL, NULL, NULL,
@@ -8353,10 +8358,11 @@
 	if (bootverbose)
 		printf("IPsec: Initialized Security Association Processing.\n");
 }
+SYSINIT(key_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_init, NULL);
 
 #ifdef VIMAGE
-void
-key_destroy(void)
+static void
+key_vnet_destroy(void *arg __unused)
 {
 	struct secashead_queue sahdrainq;
 	struct secpolicy_queue drainq;
@@ -8451,10 +8457,18 @@
 	SPACQ_UNLOCK();
 	hashdestroy(V_acqaddrhashtbl, M_IPSEC_SAQ, V_acqaddrhash_mask);
 	hashdestroy(V_acqseqhashtbl, M_IPSEC_SAQ, V_acqseqhash_mask);
+}
+VNET_SYSUNINIT(key_vnet_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_SECOND,
+    key_vnet_destroy, NULL);
+#endif
 
-	if (!IS_DEFAULT_VNET(curvnet))
-		return;
-
+/*
+ * XXX: as long as domains are not unloadable, this function is never called,
+ * provided for consistensy and future unload support.
+ */
+static void
+key_destroy(void *arg __unused)
+{
 	uma_zdestroy(ipsec_key_lft_zone);
 
 #ifndef IPSEC_DEBUG2
@@ -8467,7 +8481,7 @@
 	SPACQ_LOCK_DESTROY();
 	SPI_ALLOC_LOCK_DESTROY();
 }
-#endif
+SYSUNINIT(key_destroy, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, key_destroy, NULL);
 
 /* record data transfer on SA, and update timestamps */
 void
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -71,7 +71,7 @@
 	int key_count;
 	int any_count;
 };
-VNET_DEFINE_STATIC(struct key_cb, key_cb);
+VNET_DEFINE_STATIC(struct key_cb, key_cb) = {};
 #define	V_key_cb		VNET(key_cb)
 
 static struct sockaddr key_src = { 2, PF_KEY, };
@@ -452,23 +452,10 @@
 }
 };
 
-static void
-key_init0(void)
-{
-
-	bzero((caddr_t)&V_key_cb, sizeof(V_key_cb));
-	key_init();
-}
-
 struct domain keydomain = {
 	.dom_family =		PF_KEY,
 	.dom_name =		"key",
-	.dom_init =		key_init0,
-#ifdef VIMAGE
-	.dom_destroy =		key_destroy,
-#endif
 	.dom_protosw =		keysw,
 	.dom_protoswNPROTOSW =	&keysw[nitems(keysw)]
 };
-
-VNET_DOMAIN_SET(key);
+DOMAIN_SET(key);