diff --git a/data/common.yaml b/data/common.yaml
index e64d433..4ea6bf0 100644
--- a/data/common.yaml
+++ b/data/common.yaml
@@ -4,5 +4,6 @@ bind::params::supported: false
 bind::forwarders: ''
 bind::dnssec: true
 bind::version: ''
+bind::random_device: '/dev/random'
 
 bind::updater::keydir: '/etc/nsupdate-keys'
diff --git a/files/dnssec-init b/files/dnssec-init
index c34b4a6..622df4b 100644
--- a/files/dnssec-init
+++ b/files/dnssec-init
@@ -4,7 +4,8 @@ CACHEDIR="$1"
 NAME="$2"
 DOMAIN="$3"
 KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}"
+RANDOM_DEVICE="$5"
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
-dnssec-keygen -K "${KEY_DIRECTORY}" "${DOMAIN}"
-dnssec-keygen -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
+dnssec-keygen -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
+dnssec-keygen -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
 dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
diff --git a/manifests/init.pp b/manifests/init.pp
index 2ae47e6..25e21d7 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,13 +2,14 @@
 
 class bind (
     $confdir         = undef,
-    $namedconf        = undef,
+    $namedconf       = undef,
     $cachedir        = undef,
     $forwarders      = undef,
     $dnssec          = undef,
     $version         = undef,
     $rndc            = undef,
     $statistics_port = undef,
+    $random_device   = undef,
 ) {
     include ::bind::params
 
diff --git a/manifests/zone.pp b/manifests/zone.pp
index ade6efc..f4792d4 100644
--- a/manifests/zone.pp
+++ b/manifests/zone.pp
@@ -21,6 +21,7 @@ define bind::zone (
     # where there is a zone, there is a server
     include bind
     $cachedir = $::bind::cachedir
+    $random_device = $::bind::random_device
     $_domain = pick($domain, $name)
 
     unless !($masters != '' and ! member(['slave', 'stub'], $zone_type)) {
@@ -109,7 +110,7 @@ define bind::zone (
     if $dnssec {
         exec { "dnssec-keygen-${name}":
             command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
-                '${_domain}' '${key_directory}'",
+                '${_domain}' '${key_directory}' '${random_device}'",
             cwd     => $cachedir,
             user    => $::bind::params::bind_user,
             creates => "${cachedir}/${name}/${_domain}.signed",