diff --git a/manifests/init.pp b/manifests/init.pp
index 16b1f9c..26805a1 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -40,6 +40,17 @@ class bind (
         }
     }
 
+    if $rndc {
+        # rndc only supports HMAC-MD5
+        bind::key { 'rndc-key':
+            algorithm   => 'hmac-md5',
+            secret_bits => '512',
+            keydir      => $confdir,
+            keyfile     => 'rndc.key',
+            include     => false,
+        }
+    }
+
     file { [ $confdir, "${confdir}/zones" ]:
         ensure  => directory,
         mode    => '2755',
@@ -83,12 +94,6 @@ class bind (
         content => "# This file is managed by puppet - changes will be lost\n",
     }
 
-    concat::fragment { 'named-keys-rndc':
-        order   => '99',
-        target  => "${confdir}/keys.conf",
-        content => "#include \"${confdir}/rndc.key\"\n",
-    }
-
     concat::fragment { 'named-views-header':
         order   => '00',
         target  => "${confdir}/views.conf",
diff --git a/manifests/params.pp b/manifests/params.pp
index 0abc023..e842dff 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -22,7 +22,6 @@ class bind::params (
             "${::bind::confdir}/db.127",
             "${::bind::confdir}/db.255",
             "${::bind::confdir}/named.conf.default-zones",
-            "${::bind::confdir}/rndc.key",
             "${::bind::confdir}/zones.rfc1918",
         ]
     }
diff --git a/templates/named.conf.erb b/templates/named.conf.erb
index 10c0f3e..1b4c923 100644
--- a/templates/named.conf.erb
+++ b/templates/named.conf.erb
@@ -2,13 +2,6 @@
 include "<%= @confdir %>/acls.conf";
 include "<%= @confdir %>/keys.conf";
 include "<%= @confdir %>/views.conf";
-<%- if @rndc -%>
-
-include "<%= @confdir %>/rndc.key";
-controls {
-	inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
-};
-<%- end -%>
 
 options {
 	directory "<%= @cachedir %>";