diff --git a/files/dnssec-init b/files/dnssec-init
index d9e2526..cfd113d 100644
--- a/files/dnssec-init
+++ b/files/dnssec-init
@@ -8,11 +8,17 @@ RANDOM_DEVICE="$5"
 NSEC3_SALT="$6"
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
 
+if [ "${DOMAIN}" == "." ]; then
+    ZONE_FILE=root
+else
+    ZONE_FILE="${DOMAIN}"
+fi
+
 dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
 dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
 
 if [ $NSEC3_SALT != '' ]; then
-    dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
+    dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
 else
-    dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
+    dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
 fi
diff --git a/manifests/zone.pp b/manifests/zone.pp
index 8fbd62f..a5a506c 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -31,6 +31,10 @@ define bind::zone (
     $include_default_zones = $::bind::include_default_zones
 
     $_domain = pick($domain, $name)
+    $zone_file = $_domain ? {
+        '.'     => 'root',
+        default => $_domain
+    }
 
     if $include_default_zones and $default_zones_warning and member(['.', 'localhost', '127.in-addr.arpa', '0.in-addr.arpa', '255.in-addr.arpa'], $_domain) {
         warning("The bind module will include a default definition for zone \"${_domain}\" starting in version 6.0.0. Please see https://github.com/inkblot/puppet-bind/blob/master/DEFAULT_ZONES.md for more information about how this will affect your configuration.")
@@ -93,7 +97,7 @@ define bind::zone (
         }
 
         if member(['init', 'managed'], $zone_file_mode) {
-            file { "${cachedir}/${name}/${_domain}":
+            file { "${cachedir}/${name}/${zone_file}":
                 ensure  => present,
                 owner   => $bind_user,
                 group   => $bind_group,
@@ -110,7 +114,7 @@ define bind::zone (
                 user        => $bind_user,
                 refreshonly => true,
                 require     => Service['bind'],
-                subscribe   => File["${cachedir}/${name}/${_domain}"],
+                subscribe   => File["${cachedir}/${name}/${zone_file}"],
             }
         }
     } elsif $zone_file_mode == 'absent' {
@@ -125,15 +129,15 @@ define bind::zone (
                 '${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'",
             cwd     => $cachedir,
             user    => $bind_user,
-            creates => "${cachedir}/${name}/${_domain}.signed",
+            creates => "${cachedir}/${name}/${zone_file}.signed",
             timeout => 0, # crypto is hard
             require => [
                 File['/usr/local/bin/dnssec-init'],
-                File["${cachedir}/${name}/${_domain}"]
+                File["${cachedir}/${name}/${zone_file}"]
             ],
         }
 
-        file { "${cachedir}/${name}/${_domain}.signed":
+        file { "${cachedir}/${name}/${zone_file}.signed":
             owner => $bind_user,
             group => $bind_group,
             mode  => '0644',
diff --git a/templates/zone.conf.erb b/templates/zone.conf.erb
index 53d9e27..6efcfce 100644
--- a/templates/zone.conf.erb
+++ b/templates/zone.conf.erb
@@ -9,9 +9,9 @@ zone "<%= @_domain %>" {
 <%-   else -%>
 	key-directory "<%= @cachedir %>/<%= @name %>";
 <%-   end -%>
-	file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>.signed";
+	file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>.signed";
 <%- elsif %w(init managed allowed).include? @zone_file_mode -%>
-	file "<%= @cachedir %>/<%= @name %>/<%= @_domain %>";
+	file "<%= @cachedir %>/<%= @name %>/<%= @zone_file %>";
 <%- end -%>
 <%- if %w(master slave).include? @zone_type -%>
 	notify <%= @ns_notify ? 'yes' : 'no' %>;