diff --git a/designateclient/auth.py b/designateclient/auth.py
deleted file mode 100644
index 623a7a6..0000000
--- a/designateclient/auth.py
+++ /dev/null
@@ -1,95 +0,0 @@
-# Copyright 2012 Managed I.T.
-#
-# Author: Kiall Mac Innes <kiall@managedit.ie>
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-from keystoneclient.v2_0.client import Client
-from requests.auth import AuthBase
-from six.moves.urllib.parse import urlparse
-
-
-class KeystoneAuth(AuthBase):
-    def __init__(self, auth_url, username=None, password=None, tenant_id=None,
-                 tenant_name=None, token=None, service_type=None,
-                 endpoint_type=None, region_name=None, sudo_tenant_id=None):
-        self.auth_url = str(auth_url).rstrip('/')
-        self.username = username
-        self.password = password
-        self.tenant_id = tenant_id
-        self.tenant_name = tenant_name
-        self.token = token
-        self.sudo_tenant_id = sudo_tenant_id
-
-        if (not username and not password) and not token:
-            raise ValueError('A username and password, or token is required')
-
-        if not service_type or not endpoint_type:
-            raise ValueError("Need service_type and/or endpoint_type")
-
-        self.service_type = service_type
-        self.endpoint_type = endpoint_type
-        self.region_name = region_name
-
-        self.refresh_auth()
-
-    def __call__(self, request):
-        if not self.token:
-            self.refresh_auth()
-
-        request.headers['X-Auth-Token'] = self.token
-
-        if self.sudo_tenant_id:
-            request.headers['X-Designate-Sudo-Tenant-ID'] = self.sudo_tenant_id
-
-        return request
-
-    def get_ksclient(self):
-        insecure = urlparse(self.auth_url).scheme != 'https'
-
-        return Client(username=self.username,
-                      password=self.password,
-                      tenant_id=self.tenant_id,
-                      tenant_name=self.tenant_name,
-                      auth_url=self.auth_url,
-                      insecure=insecure)
-
-    def get_endpoints(self, service_type=None, endpoint_type=None,
-                      region_name=None):
-        return self.service_catalog.get_endpoints(
-            service_type=service_type,
-            endpoint_type=endpoint_type,
-            region_name=region_name)
-
-    def get_url(self, service_type=None, endpoint_type=None, region_name=None):
-        service_type = service_type or self.service_type
-        endpoint_type = endpoint_type or self.endpoint_type
-        region_name = region_name or self.region_name
-
-        endpoints = self.get_endpoints(service_type, endpoint_type,
-                                       region_name)
-
-        url = endpoints[service_type][0][endpoint_type]
-
-        # NOTE(kiall): The Version 1 API is the only API that has ever included
-        #              the version number in the endpoint. Thus, it's safe to
-        #              simply remove it if present.
-        url = url.rstrip('/')
-        if url.endswith('/v1'):
-            url = url[:-3]
-        return url
-
-    def refresh_auth(self):
-        ks = self.get_ksclient()
-        self.token = ks.auth_token
-        self.service_catalog = ks.service_catalog
diff --git a/designateclient/cli/base.py b/designateclient/cli/base.py
index 3cebb2f..bf5a894 100644
--- a/designateclient/cli/base.py
+++ b/designateclient/cli/base.py
@@ -18,7 +18,7 @@ import abc
 from cliff.command import Command as CliffCommand
 from cliff.lister import Lister
 from cliff.show import ShowOne
-from keystoneclient import exceptions as ks_exceptions
+from keystoneauth1 import exceptions as ks_exceptions
 import six
 
 from designateclient import exceptions
diff --git a/designateclient/tests/base.py b/designateclient/tests/base.py
index c0f923c..34f0c7b 100644
--- a/designateclient/tests/base.py
+++ b/designateclient/tests/base.py
@@ -18,7 +18,7 @@ import json as json_
 import os
 
 import fixtures
-from keystoneclient import session as keystone_session
+from keystoneauth1 import session as keystone_session
 from oslotest import base as test
 from requests_mock.contrib import fixture as req_fixture
 import six
diff --git a/designateclient/tests/test_v1/test_client.py b/designateclient/tests/test_v1/test_client.py
index 0cf45b2..f46f64d 100644
--- a/designateclient/tests/test_v1/test_client.py
+++ b/designateclient/tests/test_v1/test_client.py
@@ -18,7 +18,7 @@ from designateclient.tests import test_v1
 from designateclient import utils
 from designateclient import v1
 
-from keystoneclient import session as keystone_session
+from keystoneauth1 import session as keystone_session
 
 
 class TestClient(test_v1.APIV1TestCase):
diff --git a/designateclient/tests/v2/test_client.py b/designateclient/tests/v2/test_client.py
index aa2526f..e3ae683 100644
--- a/designateclient/tests/v2/test_client.py
+++ b/designateclient/tests/v2/test_client.py
@@ -14,8 +14,8 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from keystoneclient import adapter
-from keystoneclient import session as keystone_session
+from keystoneauth1 import adapter
+from keystoneauth1 import session as keystone_session
 
 from designateclient.tests.base import TestCase
 from designateclient.v2.client import Client
diff --git a/designateclient/tests/v2/test_timeout.py b/designateclient/tests/v2/test_timeout.py
index ab8c3ff..446841c 100644
--- a/designateclient/tests/v2/test_timeout.py
+++ b/designateclient/tests/v2/test_timeout.py
@@ -14,8 +14,8 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from keystoneclient.auth.identity import generic
-from keystoneclient import session as keystone_session
+from keystoneauth1.identity import generic
+from keystoneauth1 import session as keystone_session
 from mock import Mock
 
 from designateclient.tests import v2
diff --git a/designateclient/utils.py b/designateclient/utils.py
index 1576b9f..b7bccf3 100644
--- a/designateclient/utils.py
+++ b/designateclient/utils.py
@@ -19,10 +19,10 @@ import os
 import uuid
 
 from debtcollector import removals
-from keystoneclient import adapter
-from keystoneclient.auth.identity import generic
-from keystoneclient.auth import token_endpoint
-from keystoneclient import session as ks_session
+from keystoneauth1 import adapter
+from keystoneauth1.identity import generic
+from keystoneauth1 import session as ks_session
+from keystoneauth1 import token_endpoint
 import pkg_resources
 import six
 
diff --git a/designateclient/v2/client.py b/designateclient/v2/client.py
index 911b6ef..df8aebb 100644
--- a/designateclient/v2/client.py
+++ b/designateclient/v2/client.py
@@ -13,7 +13,7 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-from keystoneclient import adapter
+from keystoneauth1 import adapter
 
 from designateclient import exceptions
 from designateclient.v2.blacklists import BlacklistController
diff --git a/requirements.txt b/requirements.txt
index 7046db6..a0b3eba 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,7 +5,7 @@ cliff!=1.16.0,!=1.17.0,>=1.15.0 # Apache-2.0
 jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT
 oslo.utils>=3.5.0 # Apache-2.0
 pbr>=1.6 # Apache-2.0
-python-keystoneclient!=1.8.0,!=2.1.0,>=1.6.0 # Apache-2.0
+keystoneauth1>=2.1.0 # Apache-2.0
 requests!=2.9.0,>=2.8.1 # Apache-2.0
 six>=1.9.0 # MIT
 stevedore>=1.10.0 # Apache-2.0