diff --git a/bin/confgen/ddns-confgen.docbook b/bin/confgen/ddns-confgen.docbook
index 7815121805..c202980899 100644
--- a/bin/confgen/ddns-confgen.docbook
+++ b/bin/confgen/ddns-confgen.docbook
@@ -46,7 +46,6 @@
       <command>tsig-keygen</command>
       <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-h</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
       <arg choice="opt" rep="norepeat">name</arg>
     </cmdsynopsis>
     <cmdsynopsis sepchar=" ">
@@ -157,23 +156,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-r <replaceable class="parameter">randomfile</replaceable></term>
-	<listitem>
-	  <para>
-            Specifies a source of random data for generating the
-            authorization.  If the operating system does not provide a
-            <filename>/dev/random</filename> or equivalent device, the
-            default source of randomness is keyboard input.
-            <filename>randomdev</filename> specifies the name of a
-            character device or file containing random data to be used
-            instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard input
-            should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-s <replaceable class="parameter">name</replaceable></term>
 	<listitem>
diff --git a/bin/confgen/rndc-confgen.docbook b/bin/confgen/rndc-confgen.docbook
index cf0e442d82..172615dca9 100644
--- a/bin/confgen/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -58,7 +58,6 @@
       <arg choice="opt" rep="norepeat"><option>-h</option></arg>
       <arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
@@ -191,24 +190,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomfile</replaceable></term>
-        <listitem>
-          <para>
-            Specifies a source of random data for generating the
-            authorization.  If the operating
-            system does not provide a <filename>/dev/random</filename>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <filename>randomdev</filename>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard
-            input should be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-s <replaceable class="parameter">address</replaceable></term>
         <listitem>
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 9209f4cb72..935e1e4a86 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -120,7 +120,6 @@ usage(void) {
 			"(DH only)\n");
 	fprintf(stderr, "    -L <ttl>: default key TTL\n");
 	fprintf(stderr, "    -p <protocol>: (default: 3 [dnssec])\n");
-	fprintf(stderr, "    -r <randomdev>: DEPRECATED and ignored\n");
 	fprintf(stderr, "    -s <strength>: strength value this key signs DNS "
 			"records with (default: 0)\n");
 	fprintf(stderr, "    -T <rrtype>: DNSKEY | KEY (default: DNSKEY; "
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 0c89828c2b..378522d128 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -81,7 +81,6 @@
       <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-q</option></arg>
       <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
@@ -349,31 +348,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies a source of randomness.  Normally, when generating
-	    DNSSEC keys, this option has no effect; the random number
-	    generation function provided by the cryptographic library will
-	    be used.
-	  </para>
-	  <para>
-	    If that behavior is disabled at compile time, however,
-	    the specified file will be used as entropy source
-	    for key generation.  <filename>randomdev</filename> is
-	    the name of a character device or file containing random
-	    data to be used.  The special value <filename>keyboard</filename>
-	    indicates that keyboard input should be used.
-	  </para>
-	  <para>
-	    The default is <filename>/dev/random</filename> if the
-	    operating system provides it or an equivalent device;
-	    if not, the default source of randomness is keyboard input.
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-S <replaceable class="parameter">key</replaceable></term>
 	<listitem>
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index ab092c6955..4ce8e9c983 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -3053,8 +3053,6 @@ usage(void) {
 	fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
 	fprintf(stderr, "\t-D:\n");
 	fprintf(stderr, "\t\toutput only DNSSEC-related records\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr,	"\t\ta file containing random data\n");
 	fprintf(stderr, "\t-a:\t");
 	fprintf(stderr, "verify generated signatures\n");
 	fprintf(stderr, "\t-c class (IN)\n");
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 5ea46dd021..facfccb5e7 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -78,10 +78,8 @@
       <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-P</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-p</option></arg>
       <arg choice="opt" rep="norepeat"><option>-Q</option></arg>
       <arg choice="opt" rep="norepeat"><option>-R</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-S</option></arg>
       <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
@@ -508,18 +506,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term>-p</term>
-        <listitem>
-          <para>
-            Use pseudo-random data when signing the zone.  This is faster,
-            but less secure, than using real random data.  This option
-            may be useful when signing large zones or when the entropy
-            source is limited.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-P</term>
         <listitem>
@@ -571,23 +557,6 @@
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-        <listitem>
-          <para>
-            Specifies the source of randomness.  If the operating
-            system does not provide a <filename>/dev/random</filename>
-            or equivalent device, the default source of randomness
-            is keyboard input.  <filename>randomdev</filename>
-            specifies
-            the name of a character device or file containing random
-            data to be used instead of the default.  The special value
-            <filename>keyboard</filename> indicates that keyboard
-            input should be used.
-          </para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term>-S</term>
         <listitem>
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 56bce9f144..3902a12832 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -70,7 +70,6 @@
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-T</option></arg>
       <arg choice="opt" rep="norepeat"><option>-P</option></arg>
@@ -269,22 +268,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-R <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	<para>
-	  Where to obtain randomness. If the operating system
-	  does not provide a <filename>/dev/random</filename> or
-	  equivalent device, the default source of randomness is keyboard
-	  input.  <filename>randomdev</filename> specifies the name of
-	  a character device or file containing random data to be used
-	  instead of the default.  The special value
-	  <filename>keyboard</filename> indicates that keyboard input
-	  should be used.  This option may be specified multiple times.
-	</para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-t <replaceable class="parameter">timeout</replaceable></term>
 	<listitem>
diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook
index 1a42a75b87..e7af3562cb 100644
--- a/bin/python/dnssec-keymgr.docbook
+++ b/bin/python/dnssec-keymgr.docbook
@@ -49,7 +49,6 @@
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-z</option></arg>
       <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">path</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">path</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">path</replaceable></option></arg>
       <arg choice="opt" rep="repeat">zone</arg>
     </cmdsynopsis>
@@ -187,18 +186,6 @@
 	</listitem>
       </varlistentry>
 
-      <varlistentry>
-	<term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	    Specifies a path to a file containing random data.
-	    This is passed to the <command>dnssec-keygen</command> binary
-	    using its <option>-r</option> option.
-<!-- TODO: what to do about "-r keyboard"? -->
-	  </para>
-	</listitem>
-      </varlistentry>
-
       <varlistentry>
 	<term>-s <replaceable class="parameter">settime-path</replaceable></term>
 	<listitem>
diff --git a/bin/python/isc/keymgr.py.in b/bin/python/isc/keymgr.py.in
index c193daa48c..2b78f05bea 100644
--- a/bin/python/isc/keymgr.py.in
+++ b/bin/python/isc/keymgr.py.in
@@ -76,7 +76,7 @@ def parse_args():
                         help='Path to \'dnssec-keygen\'',
                         metavar='path')
     parser.add_argument('-r', dest='randomdev', type=str, default=None,
-                        help='Path to a file containing random data to pass to \'dnssec-keygen\'',
+                        help='DEPRECATED',
                         metavar='path')
     parser.add_argument('-s', dest='settime', default=settime, type=str,
                         help='Path to \'dnssec-settime\'',
@@ -97,6 +97,9 @@ def parse_args():
 
     args = parser.parse_args()
 
+    if args.randomdev:
+        fatal("ERROR: -r option has been deprecated.")
+    
     if args.no_zsk and args.no_ksk:
         fatal("ERROR: -z and -k cannot be used together.")
 
diff --git a/bin/tests/.gitignore b/bin/tests/.gitignore
index fe9052ac52..3b0c4b29cc 100644
--- a/bin/tests/.gitignore
+++ b/bin/tests/.gitignore
@@ -1,5 +1,4 @@
 .libs
-genrandom
 headerdep_test.sh
 nxtify
 sdig
diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh
index 5331298069..ce32ee0e3d 100644
--- a/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -20,18 +20,18 @@ infile=root.db.in
 
 cat $infile ../ns2/dsset-example$TP > $zonefile
 
-zskact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
-zskvanish=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
-zskdel=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -D now $zone`
-zskinact=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -I now $zone`
-zskunpub=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -G $zone`
-zsksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A none $zone`
-zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -A now -P +1d $zone`
-zsknopriv=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE $zone`
+zskact=`$KEYGEN -3 -a RSASHA1 -q $zone`
+zskvanish=`$KEYGEN -3 -a RSASHA1 -q $zone`
+zskdel=`$KEYGEN -3 -a RSASHA1 -q -D now $zone`
+zskinact=`$KEYGEN -3 -a RSASHA1 -q -I now $zone`
+zskunpub=`$KEYGEN -3 -a RSASHA1 -q -G $zone`
+zsksby=`$KEYGEN -3 -a RSASHA1 -q -A none $zone`
+zskactnowpub1d=`$KEYGEN -3 -a RSASHA1 -q -A now -P +1d $zone`
+zsknopriv=`$KEYGEN -3 -a RSASHA1 -q $zone`
 rm $zsknopriv.private
 
-ksksby=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -P now -A now+15s -fk $zone`
-kskrev=`$KEYGEN -3 -a RSASHA1 -q -r $RANDFILE -R now+15s -fk $zone`
+ksksby=`$KEYGEN -3 -a RSASHA1 -q -P now -A now+15s -fk $zone`
+kskrev=`$KEYGEN -3 -a RSASHA1 -q -R now+15s -fk $zone`
 
 cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh
index e253512944..11ccceadeb 100644
--- a/bin/tests/system/autosign/ns2/keygen.sh
+++ b/bin/tests/system/autosign/ns2/keygen.sh
@@ -26,16 +26,16 @@ zonefile="${zone}.db"
 infile="${zonefile}.in"
 cat $infile dsset-*.example$TP > $zonefile
 
-kskname=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
+kskname=`$KEYGEN -a RSASHA1 -3 -q -fk $zone`
+$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null
 $DSFROMKEY $kskname.key > dsset-${zone}$TP
 
 # Create keys for a private secure zone.
 zone=private.secure.example
 zonefile="${zone}.db"
 infile="${zonefile}.in"
-ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone`
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > /dev/null
+ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone`
+$KEYGEN -a RSASHA1 -3 -q $zone > /dev/null
 cat $ksk.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
 local $key = join("", @rest);
@@ -58,5 +58,5 @@ for i in Xbar.+005+30676.key Xbar.+005+30804.key Xbar.+005+30676.private \
 do
 	cp $i `echo $i | sed s/X/K/`
 done
-$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > /dev/null
+$KEYGEN -a RSASHA1 -q $zone > /dev/null
 $DSFROMKEY Kbar.+005+30804.key > dsset-bar$TP
diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh
index c2f75494f6..8f1ff3cf93 100644
--- a/bin/tests/system/autosign/ns3/keygen.sh
+++ b/bin/tests/system/autosign/ns3/keygen.sh
@@ -30,8 +30,8 @@ setup () {
 
 setup secure.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -39,8 +39,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -48,8 +48,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -57,8 +57,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.nsec3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -66,8 +66,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.example
 cat $infile dsset-*.${zone}$TP > $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -75,9 +75,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup autonsec3.example
 cat $infile > $zonefile
-ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../autoksk.key
-zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../autozsk.key
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
@@ -86,8 +86,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup secure.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -95,8 +95,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec3.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -104,8 +104,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.optout.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -113,8 +113,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup optout.example
 cat $infile dsset-*.${zone}$TP > $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -122,8 +122,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup rsasha256.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA256 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -131,8 +131,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup rsasha512.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -140,8 +140,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup nsec.example
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -150,16 +150,16 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup oldsigs.example
 cp $infile $zonefile
-$KEYGEN -q -a RSASHA1 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 
 #
 # NSEC3->NSEC transition test zone.
 #
 setup nsec3-to-nsec.example
-$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 2048 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA512 -b 1024 $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 
 #
@@ -167,8 +167,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 # keys via nsupdate
 #
 setup secure-to-insecure.example
-$KEYGEN -a RSASHA1 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -q $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 
 #
@@ -176,9 +176,9 @@ $SIGNER -S -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 # removal of keys on schedule.
 #
 setup secure-to-insecure2.example
-ksk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../del1.key
-zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../del2.key
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 
@@ -187,8 +187,8 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 #
 setup prepub.example
 infile="secure-to-insecure2.example.db.in"
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 
 #
@@ -197,35 +197,35 @@ $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out 2>&1 || dumpit s.out
 
 # no default key TTL; DNSKEY should get SOA TTL
 setup ttl1.example
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
 # default key TTL should be used
 setup ttl2.example 
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -fk -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
 # mismatched key TTLs, should use shortest
 setup ttl3.example
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 60 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -fk -L 30 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -L 60 $zone > kg.out 2>&1 || dumpit kg.out
 cp $infile $zonefile
 
 # existing DNSKEY RRset, should retain TTL
 setup ttl4.example
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -L 30 -fk $zone > kg.out 2>&1 || dumpit kg.out
 cat ${infile} K${zone}.+*.key > $zonefile
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -L 180 $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -L 180 $zone > kg.out 2>&1 || dumpit kg.out
 
 #
 # A zone with a DNSKEY RRset that is published before it's activated
 #
 setup delay.example
-ksk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
+ksk=`$KEYGEN -G -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
 echo $ksk > ../delayksk.key
-zsk=`$KEYGEN -G -q -a RSASHA1 -3 -r $RANDFILE $zone 2> kg.out` || dumpit kg.out
+zsk=`$KEYGEN -G -q -a RSASHA1 -3 $zone 2> kg.out` || dumpit kg.out
 echo $zsk > ../delayzsk.key
 
 #
@@ -233,8 +233,8 @@ echo $zsk > ../delayzsk.key
 # is missing.
 #
 setup nozsk.example
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
+$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
+zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
 echo $zsk > ../missingzsk.key
 rm -f ${zsk}.private
@@ -244,8 +244,8 @@ rm -f ${zsk}.private
 # is inactive.
 #
 setup inaczsk.example
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-zsk=`$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone`
+$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
+zsk=`$KEYGEN -q -a RSASHA1 -3 $zone`
 $SIGNER -S -P -s now-1mo -e now-1mi -o $zone -f $zonefile ${zonefile}.in > s.out 2>&1 || dumpit s.out
 echo $zsk > ../inactivezsk.key
 $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
@@ -255,16 +255,16 @@ $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out
 #
 setup reconf.example
 cp secure.example.db.in $zonefile
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE -fk $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -q -a RSASHA1 -3 -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 -fk $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
 
 #
 # A zone which generates CDS and CDNSEY RRsets automatically
 #
 setup sync.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 echo ns3/$ksk > ../sync.key
 
@@ -273,8 +273,8 @@ echo ns3/$ksk > ../sync.key
 #
 setup kskonly.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk -P sync now $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -fk -P sync now $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -282,8 +282,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inacksk2.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -291,8 +291,8 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inaczsk2.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -300,9 +300,9 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inacksk3.example
 cp $infile $zonefile
-$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
 
 #
@@ -310,7 +310,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
 #
 setup inaczsk3.example
 cp $infile $zonefile
-ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -fk $zone 2> kg.out` || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE $zone > kg.out 2>&1 || dumpit kg.out
-$KEYGEN -a NSEC3RSASHA1 -3 -q -r $RANDFILE -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
+ksk=`$KEYGEN -a NSEC3RSASHA1 -3 -q -fk $zone 2> kg.out` || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -3 -q $zone > kg.out 2>&1 || dumpit kg.out
+$KEYGEN -a NSEC3RSASHA1 -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out
 $DSFROMKEY $ksk.key > dsset-${zone}$TP
diff --git a/bin/tests/system/autosign/setup.sh b/bin/tests/system/autosign/setup.sh
index 4a5c956629..d031d28e77 100644
--- a/bin/tests/system/autosign/setup.sh
+++ b/bin/tests/system/autosign/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 . ./clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 40bb97b3a3..e7a8398780 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -926,7 +926,7 @@ ret=0
 oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
 oldinception=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '/SOA/ {print $6}' | sort -u`
 
-$KEYGEN -a rsasha1 -3 -q -r $RANDFILE -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
+$KEYGEN -a rsasha1 -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null
 
 $RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i
 newserial=$oldserial
diff --git a/bin/tests/system/cds/setup.sh b/bin/tests/system/cds/setup.sh
index 5c26dcac3d..e72a4dc94d 100644
--- a/bin/tests/system/cds/setup.sh
+++ b/bin/tests/system/cds/setup.sh
@@ -16,15 +16,13 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 touch empty
 
 Z=cds.test
 
-keyz=$($KEYGEN -q -r $RANDFILE -a RSASHA256 $Z)
-key1=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
-key2=$($KEYGEN -q -r $RANDFILE -a RSASHA256 -f KSK $Z)
+keyz=$($KEYGEN -q -a RSASHA256 $Z)
+key1=$($KEYGEN -q -a RSASHA256 -f KSK $Z)
+key2=$($KEYGEN -q -a RSASHA256 -f KSK $Z)
 
 idz=$(echo $keyz | sed 's/.*+0*//')
 id1=$(echo $key1 | sed 's/.*+0*//')
@@ -85,7 +83,7 @@ sed 's/ add \(.*\) IN DS / add \1 3600 IN DS /' <UP.swap >UP.swapttl
 
 sign() {
 	cat >db.$1
-	$SIGNER >/dev/null 2>&1 -r $RANDFILE \
+	$SIGNER >/dev/null 2>&1 \
 		 -S -O full -o $Z -f sig.$1 db.$1
 }
 
diff --git a/bin/tests/system/chain/ns2/sign.sh b/bin/tests/system/chain/ns2/sign.sh
index 11b87ad402..18c5b66230 100644
--- a/bin/tests/system/chain/ns2/sign.sh
+++ b/bin/tests/system/chain/ns2/sign.sh
@@ -15,6 +15,6 @@ SYSTEMTESTTOP=../..
 zone=example.
 zonefile=example.db
 
-ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk -r $RANDFILE $zone`
-zsk=`$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone`
-$SIGNER -S -r $RANDFILE -o $zone example.db > /dev/null 2>&1
+ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -fk $zone`
+zsk=`$KEYGEN -q -a RSASHA256 -b 1024 $zone`
+$SIGNER -S -o $zone example.db > /dev/null 2>&1
diff --git a/bin/tests/system/chain/setup.sh b/bin/tests/system/chain/setup.sh
index c2b0d69de7..dda56a2cb0 100644
--- a/bin/tests/system/chain/setup.sh
+++ b/bin/tests/system/chain/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/checkconf/bad-many.conf b/bin/tests/system/checkconf/bad-many.conf
index 27f7e9bd24..af2b4344fa 100644
--- a/bin/tests/system/checkconf/bad-many.conf
+++ b/bin/tests/system/checkconf/bad-many.conf
@@ -38,7 +38,6 @@ options {
 	port 5300;
 	querylog yes;
 	recursing-file "named.recursing";
-	random-device "/dev/random";
 	recursive-clients 3000;
 	serial-queries 10;
 	serial-query-rate 100;
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index 4c8eef2ca5..6d58e43550 100644
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -57,7 +57,6 @@ options {
 	pid-file none;
 	port 5300;
 	querylog yes;
-	random-device "/dev/random";
 	recursing-file "named.recursing";
 	recursive-clients 3000;
 	serial-queries 10;
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 7b8a4e9caa..bf7e77e2ef 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -33,7 +33,6 @@ DNSTAPREAD=$TOP/bin/tools/dnstap-read
 DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
 FEATURETEST=$TOP/bin/tests/system/feature-test
 FSTRM_CAPTURE=@FSTRM_CAPTURE@
-GENRANDOM=$TOP/bin/tools/genrandom
 IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
 JOURNALPRINT=$TOP/bin/tools/named-journalprint
 KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
@@ -59,8 +58,6 @@ TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
 VERIFY=$TOP/bin/dnssec/dnssec-verify
 WIRETEST=$TOP/bin/tests/wire_test
 
-RANDFILE=$TOP/bin/tests/system/random.data
-
 BIGKEY=$TOP/bin/tests/system/rsabigexponent/bigkey
 GENCHECK=$TOP/bin/tests/system/rndc/gencheck
 KEYCREATE=$TOP/bin/tests/system/tkey/keycreate
@@ -323,7 +320,6 @@ export PK11GEN
 export PK11LIST
 export PSSUSPEND
 export PYTHON
-export RANDFILE
 export RESOLVE
 export RNDC
 export RRCHECKER
diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32
index e46957e40b..b84bdc60d1 100644
--- a/bin/tests/system/conf.sh.win32
+++ b/bin/tests/system/conf.sh.win32
@@ -38,7 +38,6 @@ DNSTAPREAD=$TOP/Build/$VSCONF/dnstap-read@EXEEXT@
 DSFROMKEY=$TOP/Build/$VSCONF/dnssec-dsfromkey@EXEEXT@
 FEATURETEST=$TOP/Build/$VSCONF/feature-test@EXEEXT@
 FSTRM_CAPTURE=@FSTRM_CAPTURE@
-GENRANDOM=$TOP/Build/$VSCONF/genrandom@EXEEXT@
 IMPORTKEY=$TOP/Build/$VSCONF/dnssec-importkey@EXEEXT@
 JOURNALPRINT=$TOP/Build/$VSCONF/named-journalprint@EXEEXT@
 KEYFRLAB=$TOP/Build/$VSCONF/dnssec-keyfromlabel@EXEEXT@
@@ -65,9 +64,6 @@ VERIFY=$TOP/Build/$VSCONF/dnssec-verify@EXEEXT@
 
 # to port WIRETEST=$TOP/Build/$VSCONF/wire_test@EXEEXT@
 
-# this is given as argument to native WIN32 executables
-RANDFILE=`cygpath -w $TOP/bin/tests/system/random.data`
-
 BIGKEY=$TOP/Build/$VSCONF/bigkey@EXEEXT@
 GENCHECK=$TOP/Build/$VSCONF/gencheck@EXEEXT@
 KEYCREATE=$TOP/Build/$VSCONF/keycreate@EXEEXT@
@@ -298,7 +294,6 @@ export PK11GEN
 export PK11LIST
 export PSSUSPEND
 export PYTHON
-export RANDFILE
 export RESOLVE
 export RNDC
 export RRCHECKER
diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh
index cee4dffdec..bb6fa4bb1f 100644
--- a/bin/tests/system/coverage/setup.sh
+++ b/bin/tests/system/coverage/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-KEYGEN="$KEYGEN -qr $RANDFILE"
-
 $SHELL clean.sh
 
 ln -s $CHECKZONE named-compilezone
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
index ddd41a1437..71244d7faf 100755
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -23,12 +23,12 @@ infile=root.db.in
 zonefile=root.db
 outfile=root.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 
 echo_i "signed $zone"
 
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
index 6f84d7a525..d7b82e1377 100755
--- a/bin/tests/system/dlv/ns2/sign.sh
+++ b/bin/tests/system/dlv/ns2/sign.sh
@@ -24,12 +24,12 @@ zonefile=druz.db
 outfile=druz.pre
 dlvzone=utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 
 $CHECKZONE -q -D -i none druz druz.pre |
 sed '/IN DNSKEY/s/\([a-z0-9A-Z/]\{10\}\)[a-z0-9A-Z/]\{16\}/\1XXXXXXXXXXXXXXXX/'> druz.signed
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index cb991323b6..70557b0f27 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -26,13 +26,13 @@ zonefile=child1.utld.db
 outfile=child1.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -42,13 +42,13 @@ zonefile=child3.utld.db
 outfile=child3.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -58,12 +58,12 @@ zonefile=child4.utld.db
 outfile=child4.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -73,13 +73,13 @@ zonefile=child5.utld.db
 outfile=child5.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -88,13 +88,13 @@ infile=child.db.in
 zonefile=child7.utld.db
 outfile=child7.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -103,12 +103,12 @@ infile=child.db.in
 zonefile=child8.utld.db
 outfile=child8.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -118,12 +118,12 @@ zonefile=child9.utld.db
 outfile=child9.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=child10.utld.
@@ -132,12 +132,12 @@ zonefile=child10.utld.db
 outfile=child10.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=child1.druz.
@@ -147,13 +147,13 @@ outfile=child1.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -164,13 +164,13 @@ outfile=child3.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -181,12 +181,12 @@ outfile=child4.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -197,13 +197,13 @@ outfile=child5.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -213,13 +213,13 @@ zonefile=child7.druz.db
 outfile=child7.druz.signed
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
 cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -228,12 +228,12 @@ infile=child.db.in
 zonefile=child8.druz.db
 outfile=child8.druz.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -243,12 +243,12 @@ zonefile=child9.druz.db
 outfile=child9.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=child10.druz.
@@ -258,12 +258,12 @@ outfile=child10.druz.signed
 dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -l $dlvzone -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -272,12 +272,12 @@ infile=dlv.db.in
 zonefile=dlv.utld.db
 outfile=dlv.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
index 1e398625f1..cc5b2911ca 100755
--- a/bin/tests/system/dlv/ns6/sign.sh
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -21,12 +21,12 @@ infile=child.db.in
 zonefile=grand.child1.utld.db
 outfile=grand.child1.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -36,12 +36,12 @@ zonefile=grand.child3.utld.db
 outfile=grand.child3.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -51,12 +51,12 @@ zonefile=grand.child4.utld.db
 outfile=grand.child4.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -66,12 +66,12 @@ zonefile=grand.child5.utld.db
 outfile=grand.child5.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -81,12 +81,12 @@ zonefile=grand.child7.utld.db
 outfile=grand.child7.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -96,12 +96,12 @@ zonefile=grand.child8.utld.db
 outfile=grand.child8.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -111,12 +111,12 @@ zonefile=grand.child9.utld.db
 outfile=grand.child9.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=grand.child10.utld.
@@ -125,12 +125,12 @@ zonefile=grand.child10.utld.db
 outfile=grand.child10.signed
 dlvzone=dlv.utld.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=grand.child1.druz.
@@ -138,12 +138,12 @@ infile=child.db.in
 zonefile=grand.child1.druz.db
 outfile=grand.child1.druz.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -153,12 +153,12 @@ zonefile=grand.child3.druz.db
 outfile=grand.child3.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -168,12 +168,12 @@ zonefile=grand.child4.druz.db
 outfile=grand.child4.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -183,12 +183,12 @@ zonefile=grand.child5.druz.db
 outfile=grand.child5.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -198,12 +198,12 @@ zonefile=grand.child7.druz.db
 outfile=grand.child7.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -213,12 +213,12 @@ zonefile=grand.child8.druz.db
 outfile=grand.child8.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 
@@ -228,12 +228,12 @@ zonefile=grand.child9.druz.db
 outfile=grand.child9.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=grand.child10.druz.
@@ -242,10 +242,10 @@ zonefile=grand.child10.druz.db
 outfile=grand.child10.druz.signed
 dlvzone=dlv.druz.
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
diff --git a/bin/tests/system/dlv/setup.sh b/bin/tests/system/dlv/setup.sh
index a8a94e8b87..24f8d29ed4 100644
--- a/bin/tests/system/dlv/setup.sh
+++ b/bin/tests/system/dlv/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/dlzexternal/setup.sh b/bin/tests/system/dlzexternal/setup.sh
index 8b91d55b18..6efd940092 100644
--- a/bin/tests/system/dlzexternal/setup.sh
+++ b/bin/tests/system/dlzexternal/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
-$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
+$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
 
 copy_setports ns1/named.conf.in ns1/named.conf
diff --git a/bin/tests/system/dns64/ns1/sign.sh b/bin/tests/system/dns64/ns1/sign.sh
index 88b1bbbb9c..17688fc772 100644
--- a/bin/tests/system/dns64/ns1/sign.sh
+++ b/bin/tests/system/dns64/ns1/sign.sh
@@ -16,9 +16,9 @@ zone=signed
 infile=example.db
 zonefile=signed.db
 
-key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
-key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
+key1=`$KEYGEN -q -a rsasha256 $zone`
+key2=`$KEYGEN -q -a rsasha256 -fk $zone`
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/dns64/setup.sh b/bin/tests/system/dns64/setup.sh
index fbaecc308c..5f2d9d26de 100644
--- a/bin/tests/system/dns64/setup.sh
+++ b/bin/tests/system/dns64/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 09837184de..683583543f 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -27,11 +27,11 @@ cp ../ns2/dsset-in-addr.arpa$TP .
 grep "8 [12] " ../ns2/dsset-algroll$TP > dsset-algroll$TP
 cp ../ns6/dsset-optout-tld$TP .
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index be3aaf9173..b0890df2a6 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -29,12 +29,12 @@ do
 	cp ../ns3/dsset-$subdomain.example$TP .
 done
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 #
 # lower/uppercase the signature bits with the exception of the last characters
@@ -89,11 +89,11 @@ zone=in-addr.arpa.
 infile=in-addr.arpa.db.in
 zonefile=in-addr.arpa.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 # Sign the privately secure file
 
@@ -101,11 +101,11 @@ privzone=private.secure.example.
 privinfile=private.secure.example.db.in
 privzonefile=private.secure.example.db
 
-privkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $privzone`
+privkeyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $privzone`
 
 cat $privinfile $privkeyname.key >$privzonefile
 
-$SIGNER -P -g -r $RANDFILE -o $privzone -l dlv $privzonefile > /dev/null
+$SIGNER -P -g -o $privzone -l dlv $privzonefile > /dev/null
 
 # Sign the DLV secure zone.
 
@@ -115,11 +115,11 @@ dlvinfile=dlv.db.in
 dlvzonefile=dlv.db
 dlvsetfile=dlvset-`echo $privzone |sed -e "s/\.$//g"`$TP
 
-dlvkeyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $dlvzone`
+dlvkeyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $dlvzone`
 
 cat $dlvinfile $dlvkeyname.key $dlvsetfile > $dlvzonefile
 
-$SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
+$SIGNER -P -g -o $dlvzone $dlvzonefile > /dev/null
 
 # Sign the badparam secure file
 
@@ -127,12 +127,12 @@ zone=badparam.
 infile=badparam.db.in
 zonefile=badparam.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -3 - -H 1 -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad
 
@@ -142,12 +142,12 @@ zone=single-nsec3.
 infile=single-nsec3.db.in
 zonefile=single-nsec3.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -3 - -A -H 1 -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 #
 # algroll has just has the old DNSKEY records removed and is waiting
@@ -158,14 +158,14 @@ zone=algroll.
 infile=algroll.db.in
 zonefile=algroll.db
 
-keyold1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-keyold2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keynew1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
-keynew2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyold1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+keyold2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keynew1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -fk $zone`
+keynew2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keynew1.key $keynew2.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
+$SIGNER -P -o $zone -k $keyold1 -k $keynew1 $zonefile $keyold1 $keyold2 $keynew1 $keynew2 > /dev/null
 
 #
 # Make a zone big enough that it takes several seconds to generate a new
@@ -183,93 +183,93 @@ ns3	10	A	10.53.0.3
 EOF
 awk 'END { for (i = 0; i < 300; i++)
 	print "host" i, 10, "NS", "ns.elsewhere"; }' < /dev/null >> $zonefile
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 cat $key1.key $key2.key >> $zonefile
-$SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $key1 $zonefile $key2 > /dev/null
+$SIGNER -P -3 - -A -H 1 -g -o $zone -k $key1 $zonefile $key2 > /dev/null
 
 zone=cds.secure
 infile=cds.secure.db.in
 zonefile=cds.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 $DSFROMKEY -C $key1.key > $key1.cds
 cat $infile $key1.key $key2.key $key1.cds >$zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=cds-x.secure
 infile=cds.secure.db.in
 zonefile=cds-x.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key3=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key3=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 $DSFROMKEY -C $key2.key > $key2.cds
 cat $infile $key1.key $key3.key $key2.cds >$zonefile
-$SIGNER -P -g -x -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -x -o $zone $zonefile > /dev/null
 
 zone=cds-update.secure
 infile=cds-update.secure.db.in
 zonefile=cds-update.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=cds-kskonly.secure
 infile=cds-kskonly.secure.db.in
 zonefile=cds-kskonly.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=cds-auto.secure
 infile=cds-auto.secure.db.in
 zonefile=cds-auto.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 $DSFROMKEY -C $key1.key > $key1.cds
 cat $infile $key1.cds > $zonefile.signed
 
 zone=cdnskey.secure
 infile=cdnskey.secure.db.in
 zonefile=cdnskey.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
 cat $infile $key1.key $key2.key $key1.cds >$zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=cdnskey-x.secure
 infile=cdnskey.secure.db.in
 zonefile=cdnskey-x.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key3=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key3=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
 cat $infile $key2.key $key3.key $key1.cds >$zonefile
-$SIGNER -P -g -x -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -x -o $zone $zonefile > /dev/null
 
 zone=cdnskey-update.secure
 infile=cdnskey-update.secure.db.in
 zonefile=cdnskey-update.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=cdnskey-kskonly.secure
 infile=cdnskey-kskonly.secure.db.in
 zonefile=cdnskey-kskonly.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $key1.key $key2.key > $zonefile
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=cdnskey-auto.secure
 infile=cdnskey-auto.secure.db.in
 zonefile=cdnskey-auto.secure.db
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
 cat $infile $key1.cds > $zonefile.signed
diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh
index 3cd660433e..a248840e9e 100644
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -16,44 +16,44 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
 
-cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host cnameandkey.$zone`
-dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 1024 -n host dnameandkey.$zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+cnameandkey=`$KEYGEN -T KEY -q -a RSASHA1 -b 1024 -n host cnameandkey.$zone`
+dnameandkey=`$KEYGEN -T KEY -q -a RSASHA1 -b 1024 -n host dnameandkey.$zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 zone=bogus.example.
 infile=bogus.example.db.in
 zonefile=bogus.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 zone=dynamic.example.
 infile=dynamic.example.db.in
 zonefile=dynamic.example.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone -f KSK $zone`
+keyname1=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone -f KSK $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 zone=keyless.example.
 infile=generic.example.db.in
 zonefile=keyless.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 # Change the signer field of the a.b.keyless.example SIG A
 # to point to a provably nonexistent KEY record.
@@ -69,11 +69,11 @@ zone=secure.nsec3.example.
 infile=secure.nsec3.example.db.in
 zonefile=secure.nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 #
 #  NSEC3/NSEC3 test zone
@@ -82,11 +82,11 @@ zone=nsec3.nsec3.example.
 infile=nsec3.nsec3.example.db.in
 zonefile=nsec3.nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1
 
 #
 #  OPTOUT/NSEC3 test zone
@@ -95,11 +95,11 @@ zone=optout.nsec3.example.
 infile=optout.nsec3.example.db.in
 zonefile=optout.nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -A -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A nsec3 zone (non-optout).
@@ -108,11 +108,11 @@ zone=nsec3.example.
 infile=nsec3.example.db.in
 zonefile=nsec3.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -g -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -g -3 - -o $zone $zonefile > /dev/null 2>&1
 
 #
 #  OPTOUT/NSEC test zone
@@ -121,11 +121,11 @@ zone=secure.optout.example.
 infile=secure.optout.example.db.in
 zonefile=secure.optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 #
 #  OPTOUT/NSEC3 test zone
@@ -134,11 +134,11 @@ zone=nsec3.optout.example.
 infile=nsec3.optout.example.db.in
 zonefile=nsec3.optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1
 
 #
 #  OPTOUT/OPTOUT test zone
@@ -147,11 +147,11 @@ zone=optout.optout.example.
 infile=optout.optout.example.db.in
 zonefile=optout.optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -A -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A optout nsec3 zone.
@@ -160,11 +160,11 @@ zone=optout.example.
 infile=optout.example.db.in
 zonefile=optout.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -g -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -g -3 - -A -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
@@ -173,11 +173,11 @@ zone=nsec3-unknown.example.
 infile=nsec3-unknown.example.db.in
 zonefile=nsec3-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -U -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -U -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
@@ -186,11 +186,11 @@ zone=optout-unknown.example.
 infile=optout-unknown.example.db.in
 zonefile=optout-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -U -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -U -A -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A zone with a unknown DNSKEY algorithm.
@@ -200,11 +200,11 @@ zone=dnskey-unknown.example.
 infile=dnskey-unknown.example.db.in
 zonefile=dnskey-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -r $RANDFILE -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -o $zone -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
 
 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
 
@@ -219,11 +219,11 @@ zone=dnskey-nsec3-unknown.example.
 infile=dnskey-nsec3-unknown.example.db.in
 zonefile=dnskey-nsec3-unknown.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -r $RANDFILE -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -o $zone -U -O full -f ${zonefile}.tmp $zonefile > /dev/null 2>&1
 
 awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
 
@@ -237,21 +237,21 @@ zone=multiple.example.
 infile=multiple.example.db.in
 zonefile=multiple.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 mv $zonefile.signed $zonefile
-$SIGNER -P -u3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -u3 - -o $zone $zonefile > /dev/null 2>&1
 mv $zonefile.signed $zonefile
-$SIGNER -P -u3 AAAA -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -u3 AAAA -o $zone $zonefile > /dev/null 2>&1
 mv $zonefile.signed $zonefile
-$SIGNER -P -u3 BBBB -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -u3 BBBB -o $zone $zonefile > /dev/null 2>&1
 mv $zonefile.signed $zonefile
-$SIGNER -P -u3 CCCC -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -u3 CCCC -o $zone $zonefile > /dev/null 2>&1
 mv $zonefile.signed $zonefile
-$SIGNER -P -u3 DDDD -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -u3 DDDD -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A RSASHA256 zone.
@@ -260,11 +260,11 @@ zone=rsasha256.example.
 infile=rsasha256.example.db.in
 zonefile=rsasha256.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A RSASHA512 zone.
@@ -273,11 +273,11 @@ zone=rsasha512.example.
 infile=rsasha512.example.db.in
 zonefile=rsasha512.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA512 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA512 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A zone with the DNSKEY set only signed by the KSK
@@ -286,10 +286,10 @@ zone=kskonly.example.
 infile=kskonly.example.db.in
 zonefile=kskonly.example.db
 
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -x -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -x -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A zone with the expired signatures
@@ -298,10 +298,10 @@ zone=expired.example.
 infile=expired.example.db.in
 zonefile=expired.example.db
 
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone -s -1d -e +1h $zonefile > /dev/null 2>&1
 rm -f $kskname.* $zskname.*
 
 #
@@ -311,10 +311,10 @@ zone=update-nsec3.example.
 infile=update-nsec3.example.db.in
 zonefile=update-nsec3.example.db
 
-kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -3 -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A NSEC signed zone that will have auto-dnssec enabled and
@@ -324,12 +324,12 @@ zone=auto-nsec.example.
 infile=auto-nsec.example.db.in
 zonefile=auto-nsec.example.db
 
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A NSEC3 signed zone that will have auto-dnssec enabled and
@@ -339,12 +339,12 @@ zone=auto-nsec3.example.
 infile=auto-nsec3.example.db.in
 zonefile=auto-nsec3.example.db
 
-kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
-kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -3 -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -3 -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1
 
 #
 # Secure below cname test zone.
@@ -352,9 +352,9 @@ $SIGNER -P -3 - -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 zone=secure.below-cname.example.
 infile=secure.below-cname.example.db.in
 zonefile=secure.below-cname.example.db
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 #
 # Patched TTL test zone.
@@ -365,10 +365,10 @@ zonefile=ttlpatch.example.db
 signedfile=ttlpatch.example.db.signed
 patchedfile=ttlpatch.example.db.patched
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -f $signedfile -o $zone $zonefile > /dev/null 2>&1
 $CHECKZONE -D -s full $zone $signedfile 2> /dev/null | \
     awk '{$2 = "3600"; print}' > $patchedfile
 
@@ -380,11 +380,11 @@ infile=split-dnssec.example.db.in
 zonefile=split-dnssec.example.db
 signedfile=split-dnssec.example.db.signed
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cat $infile $keyname.key >$zonefile
 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 : > $signedfile
-$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -D -o $zone $zonefile > /dev/null 2>&1
 
 #
 # Seperate DNSSEC records smart signing.
@@ -394,11 +394,11 @@ infile=split-smart.example.db.in
 zonefile=split-smart.example.db
 signedfile=split-smart.example.db.signed
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 cp $infile $zonefile
 echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
 : > $signedfile
-$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -S -D -o $zone $zonefile > /dev/null 2>&1
 
 # 
 # Zone with signatures about to expire, but no private key to replace them
@@ -407,10 +407,10 @@ zone="expiring.example."
 infile="expiring.example.db.in"
 zonefile="expiring.example.db"
 signedfile="expiring.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
+kskname=`$KEYGEN -q -a RSASHA1 $zone`
+zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
-$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -S -e now+1mi -o $zone $zonefile > /dev/null 2>&1
 mv -f ${zskname}.private ${zskname}.private.moved
 mv -f ${kskname}.private ${kskname}.private.moved
 
@@ -422,10 +422,10 @@ infile="upper.example.db.in"
 zonefile="upper.example.db"
 lower="upper.example.db.lower"
 signedfile="upper.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
+kskname=`$KEYGEN -q -a RSASHA1 $zone`
+zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
-$SIGNER -P -S -r $RANDFILE -o $zone -f $lower $zonefile > /dev/null 2>/dev/null
+$SIGNER -P -S -o $zone -f $lower $zonefile > /dev/null 2>/dev/null
 $CHECKZONE -D upper.example $lower 2>/dev/null | \
 	sed '/RRSIG/s/ upper.example. / UPPER.EXAMPLE. /' > $signedfile
 
@@ -437,10 +437,10 @@ zone="LOWER.EXAMPLE."
 infile="lower.example.db.in"
 zonefile="lower.example.db"
 signedfile="lower.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
+kskname=`$KEYGEN -q -a RSASHA1 $zone`
+zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
-$SIGNER -P -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -S -o $zone $zonefile > /dev/null 2>&1
 
 #
 # Zone with signatures about to expire, and dynamic, but configured
@@ -450,10 +450,10 @@ zone="nosign.example."
 infile="nosign.example.db.in"
 zonefile="nosign.example.db"
 signedfile="nosign.example.db.signed"
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
+kskname=`$KEYGEN -q -a RSASHA1 $zone`
+zskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
 cp $infile $zonefile
-$SIGNER -S -r $RANDFILE -e now+1mi -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -S -e now+1mi -o $zone $zonefile > /dev/null 2>&1
 # preserve a normalized copy of the NS RRSIG for comparison later
 $CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
         awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
@@ -463,8 +463,8 @@ $CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
 # An inline signing zone
 #
 zone=inline.example.
-kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -3 -a RSASHA1 $zone`
 
 #
 # publish a new key while deactivating another key at the same time.
@@ -473,12 +473,12 @@ zone=publish-inactive.example
 infile=publish-inactive.example.db.in
 zonefile=publish-inactive.example.db
 now=`date -u +%Y%m%d%H%M%S`
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-kskname=`$KEYGEN -I $now+90s -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
+kskname=`$KEYGEN -P $now+90s -A $now+3600s -q -a RSASHA1 -f KSK $zone`
+kskname=`$KEYGEN -I $now+90s -q -a RSASHA1 -f KSK $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
 cp $infile $zonefile
-$SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -S -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A zone which will change its sig-validity-interval
@@ -486,8 +486,8 @@ $SIGNER -S -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 zone=siginterval.example
 infile=siginterval.example.db.in
 zonefile=siginterval.example.db
-kskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 -fk $zone`
-zskname=`$KEYGEN -q -3 -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -fk $zone`
+zskname=`$KEYGEN -q -3 -a RSASHA1 $zone`
 cp $infile $zonefile
 
 #
@@ -498,11 +498,11 @@ zone=badds.example.
 infile=bogus.example.db.in
 zonefile=badds.example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
 
 #
@@ -511,10 +511,10 @@ sed -e 's/bogus/badds/g' < dsset-bogus.example$TP > dsset-badds.example$TP
 zone=future.example
 infile=future.example.db.in
 zonefile=future.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -s +3600 -o $zone $zonefile > /dev/null 2>&1
 cp -f $kskname.key trusted-future.key
 
 #
@@ -523,10 +523,10 @@ cp -f $kskname.key trusted-future.key
 zone=managed-future.example
 infile=managed-future.example.db.in
 zonefile=managed-future.example.db
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -f KSK $zone`
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -f KSK $zone`
+zskname=`$KEYGEN -q -a RSASHA1 $zone`
 cat $infile $kskname.key $zskname.key >$zonefile
-$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -s +3600 -o $zone $zonefile > /dev/null 2>&1
 
 #
 # A zone with a revoked key
@@ -535,11 +535,11 @@ zone=revkey.example.
 infile=generic.example.db.in
 zonefile=revkey.example.db
 
-ksk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
+ksk1=`$KEYGEN -q -a RSASHA1 -3fk $zone`
 ksk1=`$REVOKE $ksk1`
-ksk2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3fk $zone`
-zsk1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 $zone`
+ksk2=`$KEYGEN -q -a RSASHA1 -3fk $zone`
+zsk1=`$KEYGEN -q -a RSASHA1 -3 $zone`
 
 cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/ns5/sign.sh b/bin/tests/system/dnssec/ns5/sign.sh
index 5c9493dceb..dcbd972a92 100644
--- a/bin/tests/system/dnssec/ns5/sign.sh
+++ b/bin/tests/system/dnssec/ns5/sign.sh
@@ -16,7 +16,7 @@ zone=.
 infile=../ns1/root.db.in
 zonefile=root.db.signed
 
-keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone`
+keyname=`$KEYGEN -a RSASHA1 -qfk $zone`
 
 # copy the KSK out first, then revoke it
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
@@ -32,6 +32,6 @@ EOF
 $SETTIME -R now ${keyname}.key > /dev/null
 
 # create a current set of keys, and sign the root zone
-$KEYGEN -r $RANDFILE -a RSASHA1 -q $zone > /dev/null
-$KEYGEN -r $RANDFILE -a RSASHA1 -qfk $zone > /dev/null
-$SIGNER -S -r $RANDFILE -o $zone -f $zonefile $infile > /dev/null 2>&1
+$KEYGEN -a RSASHA1 -q $zone > /dev/null
+$KEYGEN -a RSASHA1 -qfk $zone > /dev/null
+$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/ns6/sign.sh b/bin/tests/system/dnssec/ns6/sign.sh
index 9266a64648..159ba7337b 100644
--- a/bin/tests/system/dnssec/ns6/sign.sh
+++ b/bin/tests/system/dnssec/ns6/sign.sh
@@ -16,8 +16,8 @@ zone=optout-tld
 infile=optout-tld.db.in
 zonefile=optout-tld.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key >$zonefile
 
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -A -o $zone $zonefile > /dev/null 2>&1
diff --git a/bin/tests/system/dnssec/ns7/sign.sh b/bin/tests/system/dnssec/ns7/sign.sh
index 43e6dd338a..c02d54cf0d 100644
--- a/bin/tests/system/dnssec/ns7/sign.sh
+++ b/bin/tests/system/dnssec/ns7/sign.sh
@@ -16,12 +16,12 @@ zone=split-rrsig
 infile=split-rrsig.db.in
 zonefile=split-rrsig.db
 
-k1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-k2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+k1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+k2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 
 cat $infile $k1.key $k2.key >$zonefile
 
-$SIGNER -P -3 - -A -r $RANDFILE -o $zone -O full -f $zonefile.unsplit -e now-3600 -s now-7200 $zonefile > /dev/null 2>&1
+$SIGNER -P -3 - -A -o $zone -O full -f $zonefile.unsplit -e now-3600 -s now-7200 $zonefile > /dev/null 2>&1
 awk 'BEGIN { r = ""; }
      $4 == "RRSIG" && $5 == "SOA" && r == "" { r = $0; next; }
      { print }
diff --git a/bin/tests/system/dnssec/setup.sh b/bin/tests/system/dnssec/setup.sh
index f0b5696f64..870e539644 100644
--- a/bin/tests/system/dnssec/setup.sh
+++ b/bin/tests/system/dnssec/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index e30ba473c5..8cee92237e 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1381,8 +1381,8 @@ status=`expr $status + $ret`
 echo_i "checking that we can sign a zone with out-of-zone records ($n)"
 ret=0
 zone=example
-key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 (
 cd signer
 cat example.db.in $key1.key $key2.key > example.db
@@ -1395,8 +1395,8 @@ status=`expr $status + $ret`
 echo_i "checking that we can sign a zone (NSEC3) with out-of-zone records ($n)"
 ret=0
 zone=example
-key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 (
 cd signer
 cat example.db.in $key1.key $key2.key > example.db
@@ -1420,8 +1420,8 @@ status=`expr $status + $ret`
 echo_i "checking NSEC3 signing with empty nonterminals above a delegation ($n)"
 ret=0
 zone=example
-key1=`$KEYGEN -K signer -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -K signer -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -K signer -q -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 (
 cd signer
 cat example.db.in $key1.key $key2.key > example3.db
@@ -1446,8 +1446,8 @@ status=`expr $status + $ret`
 echo_i "checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
 ret=0
 zone=example
-key1=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-key2=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone`
 (
 cd signer
 cat example.db.in $key1.key $key2.key > example.db
@@ -1463,10 +1463,10 @@ status=`expr $status + $ret`
 echo_i "checking dnssec-signzone keeps valid signatures from removed keys ($n)"
 ret=0
 zone=example
-key1=`$KEYGEN -K signer -q -r $RANDFILE -f KSK -a RSASHA1 -b 1024 -n zone $zone`
-key2=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key1=`$KEYGEN -K signer -q -f KSK -a RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone`
 keyid2=`echo $key2 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'`
-key3=`$KEYGEN -K signer -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+key3=`$KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone`
 keyid3=`echo $key3 | sed 's/^Kexample.+005+0*\([0-9]\)/\1/'`
 (
 cd signer
@@ -2320,7 +2320,7 @@ echo_i "checking that the NSEC3 record for the apex is properly signed when a DN
 ret=0
 (
 cd ns3
-kskname=`$KEYGEN -q -3 -a RSASHA1 -r $RANDFILE -fk update-nsec3.example`
+kskname=`$KEYGEN -q -3 -a RSASHA1 -fk update-nsec3.example`
 (
 echo zone update-nsec3.example
 echo server 10.53.0.3 ${PORT}
@@ -2661,7 +2661,7 @@ status=`expr $status + $ret`
 # includes it anyway to avoid confusion (RT #21731)
 echo_i "check dnssec-dsfromkey error message when keyfile is not found ($n)"
 ret=0
-key=`$KEYGEN -a RSASHA1 -q -r $RANDFILE example.` || ret=1
+key=`$KEYGEN -a RSASHA1 -q example.` || ret=1
 mv $key.key $key
 $DSFROMKEY $key > dsfromkey.out.$n 2>&1 && ret=1
 grep "$key.key: file not found" dsfromkey.out.$n > /dev/null || ret=1
@@ -2748,7 +2748,7 @@ cd ns3
 for file in K*.moved; do
   mv $file `basename $file .moved`
 done
-$SIGNER -S -r $RANDFILE -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
+$SIGNER -S -N increment -e now+1mi -o expiring.example expiring.example.db > /dev/null 2>&1
 ) || ret=1
 $RNDCCMD 10.53.0.3 reload expiring.example 2>&1 | sed 's/^/ns3 /' | cat_i
 
@@ -3115,7 +3115,7 @@ do
 	   alg=`expr $alg + 1`
 	   continue;;
 	esac
-	key1=`$KEYGEN -a $alg $size -n zone -r $RANDFILE example 2> keygen.err`
+	key1=`$KEYGEN -a $alg $size -n zone example 2> keygen.err`
 	if grep "unsupported algorithm" keygen.err > /dev/null
 	then
 		alg=`expr $alg + 1`
@@ -3130,7 +3130,7 @@ do
 		continue
 	fi
 	$SETTIME -I now+4d $key1.private > /dev/null
-	key2=`$KEYGEN -v 10 -r $RANDFILE -i 3d -S $key1.private 2> /dev/null`
+	key2=`$KEYGEN -v 10 -i 3d -S $key1.private 2> /dev/null`
 	test -f $key2.key -a -f $key2.private || {
 		ret=1
 		echo_i "'dnssec-keygen -S' failed for algorithm: $alg"
@@ -3447,8 +3447,8 @@ ret=0
 # generate signed zone with MX and AAAA records at apex.
 (
 cd signer
-$KEYGEN -q -r $RANDFILE -a RSASHA1 -3 -fK remove > /dev/null
-$KEYGEN -q -r $RANDFILE -a RSASHA1 -33 remove > /dev/null
+$KEYGEN -q -a RSASHA1 -3 -fK remove > /dev/null
+$KEYGEN -q -a RSASHA1 -33 remove > /dev/null
 echo > remove.db.signed
 $SIGNER -S -o remove -D -f remove.db.signed remove.db.in > signer.out.1.$n 2>&1
 )
diff --git a/bin/tests/system/dsdigest/ns1/sign.sh b/bin/tests/system/dsdigest/ns1/sign.sh
index 0d4589043f..51c08899be 100644
--- a/bin/tests/system/dsdigest/ns1/sign.sh
+++ b/bin/tests/system/dsdigest/ns1/sign.sh
@@ -21,12 +21,12 @@ zonefile=root.db
 cp ../ns2/dsset-good$TP .
 cp ../ns2/dsset-bad$TP .
 
-key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 2048 -n zone -f KSK $zone`
+key1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+key2=`$KEYGEN -q -a RSASHA1 -b 2048 -n zone -f KSK $zone`
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 
diff --git a/bin/tests/system/dsdigest/ns2/sign.sh b/bin/tests/system/dsdigest/ns2/sign.sh
index 2c52d3bbf6..e61d8b232a 100644
--- a/bin/tests/system/dsdigest/ns2/sign.sh
+++ b/bin/tests/system/dsdigest/ns2/sign.sh
@@ -19,16 +19,16 @@ zone2=bad.
 infile2=bad.db.in
 zonefile2=bad.db
 
-keyname11=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone1`
-keyname12=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone1`
-keyname21=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone2`
-keyname22=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone -f KSK $zone2`
+keyname11=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone1`
+keyname12=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone1`
+keyname21=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone2`
+keyname22=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone2`
 
 cat $infile1 $keyname11.key $keyname12.key >$zonefile1
 cat $infile2 $keyname21.key $keyname22.key >$zonefile2
 
-$SIGNER -P -g -r $RANDFILE -o $zone1 $zonefile1 > /dev/null
-$SIGNER -P -g -r $RANDFILE -o $zone2 $zonefile2 > /dev/null
+$SIGNER -P -g -o $zone1 $zonefile1 > /dev/null
+$SIGNER -P -g -o $zone2 $zonefile2 > /dev/null
 
 DSFILENAME1=dsset-`echo $zone1 |sed -e "s/\.$//g"`$TP
 DSFILENAME2=dsset-`echo $zone2 |sed -e "s/\.$//g"`$TP
diff --git a/bin/tests/system/dsdigest/setup.sh b/bin/tests/system/dsdigest/setup.sh
index 4c11328ec5..e8a39a0196 100644
--- a/bin/tests/system/dsdigest/setup.sh
+++ b/bin/tests/system/dsdigest/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/ecdsa/ns1/sign.sh b/bin/tests/system/ecdsa/ns1/sign.sh
index 39eb336630..d679ae8170 100644
--- a/bin/tests/system/ecdsa/ns1/sign.sh
+++ b/bin/tests/system/ecdsa/ns1/sign.sh
@@ -16,13 +16,13 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-key1=`$KEYGEN -q -r $RANDFILE -a ECDSAP256SHA256 -n zone $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a ECDSAP384SHA384 -n zone -f KSK $zone`
+key1=`$KEYGEN -q -a ECDSAP256SHA256 -n zone $zone`
+key2=`$KEYGEN -q -a ECDSAP384SHA384 -n zone -f KSK $zone`
 $DSFROMKEY -a sha-384 $key2.key > dsset-384
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
 
 # Configure the resolving server with a trusted key.
 
diff --git a/bin/tests/system/ecdsa/setup.sh b/bin/tests/system/ecdsa/setup.sh
index c48b526bde..f5482e6c38 100644
--- a/bin/tests/system/ecdsa/setup.sh
+++ b/bin/tests/system/ecdsa/setup.sh
@@ -12,6 +12,4 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/eddsa/ns1/sign.sh b/bin/tests/system/eddsa/ns1/sign.sh
index 15814be7ef..8a807abae4 100644
--- a/bin/tests/system/eddsa/ns1/sign.sh
+++ b/bin/tests/system/eddsa/ns1/sign.sh
@@ -16,14 +16,14 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-key1=`$KEYGEN -q -r $RANDFILE -a ED25519 -n zone $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a ED25519 -n zone -f KSK $zone`
-#key2=`$KEYGEN -q -r $RANDFILE -a ED448 -n zone -f KSK $zone`
+key1=`$KEYGEN -q -a ED25519 -n zone $zone`
+key2=`$KEYGEN -q -a ED25519 -n zone -f KSK $zone`
+#key2=`$KEYGEN -q -a ED448 -n zone -f KSK $zone`
 $DSFROMKEY -a sha-256 $key2.key > dsset-256
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
 
 # Configure the resolving server with a trusted key.
 
diff --git a/bin/tests/system/eddsa/ns2/sign.sh b/bin/tests/system/eddsa/ns2/sign.sh
index 76f5e5dba6..f9d819459d 100644
--- a/bin/tests/system/eddsa/ns2/sign.sh
+++ b/bin/tests/system/eddsa/ns2/sign.sh
@@ -23,4 +23,4 @@ do
 	cp $i `echo $i | sed s/X/K/`
 done
 
-$SIGNER -P -z -s $starttime -e $endtime -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -P -z -s $starttime -e $endtime -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/eddsa/setup.sh b/bin/tests/system/eddsa/setup.sh
index c48b526bde..f5482e6c38 100644
--- a/bin/tests/system/eddsa/setup.sh
+++ b/bin/tests/system/eddsa/setup.sh
@@ -12,6 +12,4 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
index f7555810a0..4075b3415e 100755
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -21,10 +21,10 @@ infile=signed.db.in
 zonefile=signed.db.signed
 outfile=signed.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
index f7555810a0..4075b3415e 100755
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -21,10 +21,10 @@ infile=signed.db.in
 zonefile=signed.db.signed
 outfile=signed.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
diff --git a/bin/tests/system/filter-aaaa/setup.sh b/bin/tests/system/filter-aaaa/setup.sh
index c6c36ecdf5..97666786e6 100644
--- a/bin/tests/system/filter-aaaa/setup.sh
+++ b/bin/tests/system/filter-aaaa/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named1.conf.in ns1/named.conf
 copy_setports ns2/named1.conf.in ns2/named.conf
 copy_setports ns3/named1.conf.in ns3/named.conf
diff --git a/bin/tests/system/gost/ns1/sign.sh b/bin/tests/system/gost/ns1/sign.sh
index bdd78d5341..5eccd6bdaf 100644
--- a/bin/tests/system/gost/ns1/sign.sh
+++ b/bin/tests/system/gost/ns1/sign.sh
@@ -16,13 +16,13 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-key1=`$KEYGEN -q -r $RANDFILE -a ECCGOST -n zone $zone`
-key2=`$KEYGEN -q -r $RANDFILE -a ECCGOST -n zone -f KSK $zone`
+key1=`$KEYGEN -q -a ECCGOST -n zone $zone`
+key2=`$KEYGEN -q -a ECCGOST -n zone -f KSK $zone`
 $DSFROMKEY -a gost $key2.key > dsset-gost
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
 
 # Configure the resolving server with a trusted key.
 
diff --git a/bin/tests/system/gost/setup.sh b/bin/tests/system/gost/setup.sh
index c48b526bde..f5482e6c38 100644
--- a/bin/tests/system/gost/setup.sh
+++ b/bin/tests/system/gost/setup.sh
@@ -12,6 +12,4 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cd ns1 && $SHELL sign.sh
diff --git a/bin/tests/system/inline/ns1/sign.sh b/bin/tests/system/inline/ns1/sign.sh
index 7626a6771e..03a55ad761 100644
--- a/bin/tests/system/inline/ns1/sign.sh
+++ b/bin/tests/system/inline/ns1/sign.sh
@@ -15,8 +15,8 @@ SYSTEMTESTTOP=../..
 zone=.
 rm -f K.+*+*.key
 rm -f K.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $SIGNER -S -x -T 1200 -o ${zone} root.db > signer.out 2>&1
 [ $? = 0 ] || cat signer.out
 
diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
index c36100d136..8e6add5d3b 100755
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -15,36 +15,36 @@ SYSTEMTESTTOP=../..
 zone=bits
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=noixfr
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=master
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=dynamic
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=updated
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
 cp master2.db.in updated.db
@@ -53,72 +53,72 @@ cp master2.db.in updated.db
 zone=expired
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 $SIGNER -PS -s 20100101000000 -e 20110101000000 -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null 2>&1
 
 zone=retransfer
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=nsec3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=retransfer3
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=inactiveksk
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=inactivezsk
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -P now -A now+3600 $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
 zone=removedkeys-primary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 
 zone=removedkeys-secondary
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 
 for s in a c d h k l m q z
 do
 	zone=test-$s
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+	keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 done
 
 for s in b f i o p t v
 do
 	zone=test-$s
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-	keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+	keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+	keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
 done
 
 zone=externalkey
@@ -134,14 +134,14 @@ do
             touch $checkfile ;;
         ECCGOST) 
             fail=0
-            $KEYGEN -q -r $RANDFILE -a eccgost test > /dev/null 2>&1 || fail=1
+            $KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
             rm -f Ktest*
             [ $fail != 0 ] && continue
             checkfile=../checkgost
             touch $checkfile ;;
         ECDSAP256SHA256)
             fail=0
-            $KEYGEN -q -r $RANDFILE -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
+            $KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1
             rm -f Ktest*
             [ $fail != 0 ] && continue
             $SHELL ../checkdsa.sh 2> /dev/null || continue
@@ -150,10 +150,10 @@ do
         *) ;;
     esac
 
-    k1=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
-    k2=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-    k3=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone $zone`
-    k4=`$KEYGEN -q -r $RANDFILE -a $alg -b 1024 -n zone -f KSK $zone`
+    k1=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone`
+    k2=`$KEYGEN -q -a $alg -b 1024 -n zone $zone`
+    k3=`$KEYGEN -q -a $alg -b 1024 -n zone $zone`
+    k4=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone`
     $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db
 
     # Convert k1 and k2 in to External Keys.
diff --git a/bin/tests/system/inline/ns7/sign.sh b/bin/tests/system/inline/ns7/sign.sh
index 9fd5553edb..6ba5466407 100755
--- a/bin/tests/system/inline/ns7/sign.sh
+++ b/bin/tests/system/inline/ns7/sign.sh
@@ -18,6 +18,6 @@ SYSTEMTESTTOP=../..
 zone=nsec3-loop
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
diff --git a/bin/tests/system/inline/setup.sh b/bin/tests/system/inline/setup.sh
index 7c17b45012..dd9fcd243e 100644
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -12,8 +12,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cp ns1/root.db.in ns1/root.db
 rm -f ns1/root.db.signed
 
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index 6e4ad8e06a..ea813d559b 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -619,8 +619,8 @@ grep "ANSWER: 1," dig.out.ns5.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "setup broken"; fi
 status=`expr $status + $ret`
 copy_setports ns5/named.conf.post ns5/named.conf
-(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE bits) > /dev/null 2>&1
-(cd ns5; $KEYGEN -q -a rsasha256 -r $RANDFILE -f KSK bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a rsasha256 bits) > /dev/null 2>&1
+(cd ns5; $KEYGEN -q -a rsasha256 -f KSK bits) > /dev/null 2>&1
 $RNDCCMD 10.53.0.5 reload 2>&1 | sed 's/^/ns5 /' | cat_i
 for i in 1 2 3 4 5 6 7 8 9 10
 do
@@ -922,7 +922,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "testing imported key won't overwrite a private key ($n)"
 ret=0
-key=`$KEYGEN -r $RANDFILE -q -a rsasha256 import.example`
+key=`$KEYGEN -q -a rsasha256 import.example`
 cp ${key}.key import.key
 # import should fail
 $IMPORTKEY -f import.key import.example > /dev/null 2>&1 && ret=1
diff --git a/bin/tests/system/keepalive/setup.sh b/bin/tests/system/keepalive/setup.sh
index dc74cd786f..9b9aa029a1 100644
--- a/bin/tests/system/keepalive/setup.sh
+++ b/bin/tests/system/keepalive/setup.sh
@@ -17,5 +17,3 @@ $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
-
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh
index 9720016db5..3fc0f99dbe 100644
--- a/bin/tests/system/keymgr/setup.sh
+++ b/bin/tests/system/keymgr/setup.sh
@@ -12,7 +12,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-KEYGEN="$KEYGEN -qr $RANDFILE"
+KEYGEN="$KEYGEN -q"
 
 $SHELL clean.sh
 
diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
index 88b43d90fb..2f06fd27b4 100644
--- a/bin/tests/system/keymgr/tests.sh
+++ b/bin/tests/system/keymgr/tests.sh
@@ -38,10 +38,10 @@ for dir in [0-9][0-9]-*; do
         [ -e "$dir/policy.conf" ] && policy="-c $dir/policy.conf"
         # run keymgr to update keys
 	if [ "$CYGWIN" ]; then
-            $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` -r $RANDFILE \
+            $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \
 		-s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1
 	else
-	    $KEYMGR $policy -K $dir -g $KEYGEN -r $RANDFILE \
+	    $KEYMGR $policy -K $dir -g $KEYGEN \
 		-s $SETTIME $kargs > keymgr.$n 2>&1
 	fi
         # check that return code matches expectations
diff --git a/bin/tests/system/legacy/build.sh b/bin/tests/system/legacy/build.sh
index 6c9d7df9bd..99dc2deb5e 100644
--- a/bin/tests/system/legacy/build.sh
+++ b/bin/tests/system/legacy/build.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 $SHELL clean.sh
 
 (cd ns6 && $SHELL -e sign.sh)
diff --git a/bin/tests/system/legacy/ns6/sign.sh b/bin/tests/system/legacy/ns6/sign.sh
index ba083bedd4..fd491f3b79 100755
--- a/bin/tests/system/legacy/ns6/sign.sh
+++ b/bin/tests/system/legacy/ns6/sign.sh
@@ -21,9 +21,9 @@ infile=edns512.db.in
 zonefile=edns512.db
 outfile=edns512.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
diff --git a/bin/tests/system/legacy/ns7/sign.sh b/bin/tests/system/legacy/ns7/sign.sh
index d1613a236e..450bdd53d3 100755
--- a/bin/tests/system/legacy/ns7/sign.sh
+++ b/bin/tests/system/legacy/ns7/sign.sh
@@ -21,12 +21,12 @@ infile=edns512-notcp.db.in
 zonefile=edns512-notcp.db
 outfile=edns512-notcp.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA512 -b 4096 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -r $RANDFILE -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -g -o $zone -f $outfile -e +30y $zonefile > /dev/null 2> signer.err || cat signer.err
 
 grep -v '^;' $keyname2.key | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh
index 70aef30bd3..27d14c5d90 100755
--- a/bin/tests/system/masterformat/ns1/compile.sh
+++ b/bin/tests/system/masterformat/ns1/compile.sh
@@ -26,7 +26,7 @@ SYSTEMTESTTOP=../..
 ../named-compilezone -D -F map -o example.db.map example-map \
         example.db > /dev/null 2>&1
 
-$KEYGEN -q -a rsasha256 -r $RANDFILE signed > /dev/null 2>&1
-$KEYGEN -q -a rsasha256 -r $RANDFILE -fk signed > /dev/null 2>&1
+$KEYGEN -q -a rsasha256 signed > /dev/null 2>&1
+$KEYGEN -q -a rsasha256 -fk signed > /dev/null 2>&1
 $SIGNER -S -f signed.db.signed -o signed signed.db > /dev/null 2>&1
 ../named-compilezone -D -F map -o signed.db.map signed signed.db.signed > /dev/null 2>&1
diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh
index 2824647ff4..f8e75a3891 100755
--- a/bin/tests/system/masterformat/setup.sh
+++ b/bin/tests/system/masterformat/setup.sh
@@ -10,8 +10,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/metadata/setup.sh b/bin/tests/system/metadata/setup.sh
index 796bc23567..29ed0c3b88 100644
--- a/bin/tests/system/metadata/setup.sh
+++ b/bin/tests/system/metadata/setup.sh
@@ -14,50 +14,48 @@ SYSTEMTESTTOP=..
 
 $SHELL ./clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 pzone=parent.nil
 czone=child.parent.nil
 
 echo_i "generating keys"
 
 # active zsk
-zsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $czone`
+zsk=`$KEYGEN -q -a rsasha1 $czone`
 echo $zsk > zsk.key
 
 # not yet published or active
-pending=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
+pending=`$KEYGEN -q -a rsasha1 -P none -A none $czone`
 echo $pending > pending.key
 
 # published but not active
-standby=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
+standby=`$KEYGEN -q -a rsasha1 -A none $czone`
 echo $standby > standby.key
 
 # inactive
-inact=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+inact=`$KEYGEN -q -a rsasha1 -P now-24h -A now-24h -I now $czone`
 echo $inact > inact.key
 
 # active ksk
-ksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
+ksk=`$KEYGEN -q -a rsasha1 -fk $czone`
 echo $ksk > ksk.key
 
 # published but not YET active; will be active in 15 seconds
-rolling=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
+rolling=`$KEYGEN -q -a rsasha1 -fk $czone`
 $SETTIME -A now+15s $rolling > /dev/null
 echo $rolling > rolling.key
 
 # revoked
-revoke1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
+revoke1=`$KEYGEN -q -a rsasha1 -fk $czone`
 echo $revoke1 > prerev.key
 revoke2=`$REVOKE $revoke1`
 echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
 
-pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
+pzsk=`$KEYGEN -q -a rsasha1 $pzone`
 echo $pzsk > parent.zsk.key
 
-pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
+pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
 echo $pksk > parent.ksk.key
 
-oldstyle=`$KEYGEN -Cq -a rsasha1 -r $RANDFILE $pzone`
+oldstyle=`$KEYGEN -Cq -a rsasha1 $pzone`
 echo $oldstyle > oldstyle.key
 
diff --git a/bin/tests/system/metadata/tests.sh b/bin/tests/system/metadata/tests.sh
index 349a8dc7ed..a358adfd7b 100644
--- a/bin/tests/system/metadata/tests.sh
+++ b/bin/tests/system/metadata/tests.sh
@@ -29,8 +29,6 @@ rolling=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < rolling.key`
 standby=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < standby.key`
 zsk=`sed 's/^K'${czone}'.+005+0*\([0-9]\)/\1/' < zsk.key`
 
-$GENRANDOM 800 $RANDFILE
-
 echo_i "signing zones"
 $SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
 $SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1
@@ -175,7 +173,7 @@ status=`expr $status + $ret`
 echo_i "checking warning about delete date < inactive date with dnssec-keygen ($n)"
 ret=0
 # keygen should print a warning about delete < inactive
-$KEYGEN -q -a rsasha1 -r $RANDFILE -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
+$KEYGEN -q -a rsasha1 -I now+15s -D now $czone > tmp.out 2>&1 || ret=1
 grep "warning" tmp.out > /dev/null 2>&1 || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -183,15 +181,15 @@ status=`expr $status + $ret`
 
 echo_i "checking correct behavior setting activation without publication date ($n)"
 ret=0
-key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w $czone`
+key=`$KEYGEN -q -a rsasha1 -A +1w $czone`
 pub=`$SETTIME -upP $key | awk '{print $2}'`
 act=`$SETTIME -upA $key | awk '{print $2}'`
 [ $pub -eq $act ] || ret=1
-key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -i 1d $czone`
+key=`$KEYGEN -q -a rsasha1 -A +1w -i 1d $czone`
 pub=`$SETTIME -upP $key | awk '{print $2}'`
 act=`$SETTIME -upA $key | awk '{print $2}'`
 [ $pub -lt $act ] || ret=1
-key=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A +1w -P never $czone`
+key=`$KEYGEN -q -a rsasha1 -A +1w -P never $czone`
 pub=`$SETTIME -upP $key | awk '{print $2}'`
 [ $pub = "UNSET" ] || ret=1
 n=`expr $n + 1`
@@ -200,8 +198,8 @@ status=`expr $status + $ret`
 
 echo_i "checking calculation of dates for a successor key ($n)"
 ret=0
-oldkey=`$KEYGEN -a RSASHA1 -q -r $RANDFILE $czone`
-newkey=`$KEYGEN -a RSASHA1 -q -r $RANDFILE $czone`
+oldkey=`$KEYGEN -a RSASHA1 -q $czone`
+newkey=`$KEYGEN -a RSASHA1 -q $czone`
 $SETTIME -A -2d -I +2d $oldkey > settime1.test$n 2>&1 || ret=1
 $SETTIME -i 1d -S $oldkey $newkey > settime2.test$n 2>&1 || ret=1
 $SETTIME -pA $newkey | grep "1970" > /dev/null && ret=1
diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
index 9812a8238b..211e7dfa3f 100644
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -15,10 +15,10 @@ SYSTEMTESTTOP=../..
 zone=.
 zonefile=root.db
 
-keyname=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE $zone`
-zskkeyname=`$KEYGEN -a rsasha256 -q -r $RANDFILE $zone`
+keyname=`$KEYGEN -a rsasha256 -qfk $zone`
+zskkeyname=`$KEYGEN -a rsasha256 -q $zone`
 
-$SIGNER -Sg -r $RANDFILE -o $zone $zonefile > /dev/null 2>/dev/null
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
 
 # Configure the resolving server with a managed trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/mkeys/setup.sh b/bin/tests/system/mkeys/setup.sh
index 0ecfc394db..acfa5538c9 100644
--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@@ -14,9 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
-
 copy_setports ns1/named1.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
index 760bda63b2..c72811aaf0 100644
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -129,7 +129,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "check new trust anchor can be added ($n)"
 ret=0
-standby1=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
+standby1=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
 mkeys_loadkeys_on 1
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.$n 2>&1
@@ -348,7 +348,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "revoke original key, add new standby ($n)"
 ret=0
-standby2=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
+standby2=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
 $SETTIME -R now -K ns1 `cat ns1/managed.key` > /dev/null
 mkeys_loadkeys_on 1
 mkeys_refresh_on 2
@@ -380,7 +380,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo_i "revoke standby before it is trusted ($n)"
 ret=0
-standby3=`$KEYGEN -a rsasha256 -qfk -r $RANDFILE -K ns1 .`
+standby3=`$KEYGEN -a rsasha256 -qfk -K ns1 .`
 mkeys_loadkeys_on 1
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.a.$n 2>&1
@@ -474,7 +474,7 @@ echo_i "reset the root server"
 $SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null
 $SETTIME -D now -K ns1 $standby1 > /dev/null
 $SETTIME -D now -K ns1 $standby2 > /dev/null
-$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>/dev/null
+$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
 copy_setports ns1/named2.conf.in ns1/named.conf
 rm -f ns1/root.db.signed.jnl
 mkeys_reconfig_on 1
@@ -508,7 +508,7 @@ rm -f ns1/root.db.signed.jnl
 # but we actually do want post-sign verification to happen to ensure the zone
 # is correct before we break it on purpose.
 $SETTIME -R none -D none -K ns1 $standby1 > /dev/null
-$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null
+$SIGNER -Sg -K ns1 -N unixtime -O full -o . -f signer.out.$n ns1/root.db > /dev/null 2>/dev/null
 cp -f ns1/root.db.signed ns1/root.db.tmp
 BADSIG="SVn2tLDzpNX2rxR4xRceiCsiTqcWNKh7NQ0EQfCrVzp9WEmLw60sQ5kP xGk4FS/xSKfh89hO2O/H20Bzp0lMdtr2tKy8IMdU/mBZxQf2PXhUWRkg V2buVBKugTiOPTJSnaqYCN3rSfV1o7NtC1VNHKKK/D5g6bpDehdn5Gaq kpBhN+MSCCh9OZP2IT20luS1ARXxLlvuSVXJ3JYuuhTsQXUbX/SQpNoB Lo6ahCE55szJnmAxZEbb2KOVnSlZRA6ZBHDhdtO0S4OkvcmTutvcVV+7 w53CbKdaXhirvHIh0mZXmYk2PbPLDY7PU9wSH40UiWPOB9f00wwn6hUe uEQ1Qg=="
 # Less than a second may have passed since ns1 was started.  If we call
@@ -560,7 +560,7 @@ $SETTIME -D now -K ns1 $standby1 > /dev/null
 # "nanoseconds" field of isc_time_t, due to zone load time being seemingly
 # equal to master file modification time.
 sleep 1
-$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>/dev/null
+$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
 mkeys_reload_on 1
 mkeys_flush_on 2
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -650,7 +650,7 @@ n=`expr $n + 1`
 echo_i "restore root server, check validation succeeds again ($n)"
 ret=0
 rm -f ns1/root.db.signed.jnl
-$SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>/dev/null
+$SIGNER -Sg -K ns1 -N unixtime -o . ns1/root.db > /dev/null 2>/dev/null
 mkeys_reload_on 1
 mkeys_refresh_on 2
 mkeys_status_on 2 > rndc.out.$n 2>&1
diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh
index 253e4e73d3..7d627ae7ce 100644
--- a/bin/tests/system/nsupdate/ns3/sign.sh
+++ b/bin/tests/system/nsupdate/ns3/sign.sh
@@ -16,31 +16,31 @@ zone=nsec3param.test.
 infile=nsec3param.test.db.in
 zonefile=nsec3param.test.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname1=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -3 - -H 1 -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -3 - -H 1 -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 zone=dnskey.test.
 infile=dnskey.test.db.in
 zonefile=dnskey.test.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname1=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 zone=delegation.test.
 infile=delegation.test.db.in
 zonefile=delegation.test.db
 
-keyname1=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 -f KSK $zone`
-keyname2=`$KEYGEN -q -a RSASHA256 -r $RANDFILE -3 $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -3 -f KSK $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -3 $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -A -3 - -P -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index e4b41a9b2c..63b6fcd89c 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 $SHELL clean.sh
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
@@ -56,14 +54,14 @@ ns1.update.nil.         A       10.53.0.2
 ns2.update.nil.		AAAA	::1
 EOF
 
-$DDNSCONFGEN -q -r $RANDFILE -z example.nil > ns1/ddns.key
+$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
 
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/sha384.key
-$DDNSCONFGEN -q -r $RANDFILE -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key
+$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
+$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
+$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
+$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
+$DDNSCONFGEN -q -a hmac-sha384 -k sha384-key -z keytests.nil > ns1/sha384.key
+$DDNSCONFGEN -q -a hmac-sha512 -k sha512-key -z keytests.nil > ns1/sha512.key
 
 (cd ns3; $SHELL -e sign.sh)
 
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 0f37ab85c7..c9f332a526 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -196,7 +196,7 @@ grep "mx03.update.nil/MX:.*MX is an address" ns1/named.run > /dev/null 2>&1 || r
 
 ret=0
 echo_i "check SIG(0) key is accepted"
-key=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`
+key=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -T KEY -n ENTITY xxx`
 echo "" | $NSUPDATE -k ${key}.private > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
diff --git a/bin/tests/system/padding/setup.sh b/bin/tests/system/padding/setup.sh
index bbf45d2a23..4563f04145 100644
--- a/bin/tests/system/padding/setup.sh
+++ b/bin/tests/system/padding/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh
index 324dc12932..6e7c38854b 100644
--- a/bin/tests/system/pending/ns1/sign.sh
+++ b/bin/tests/system/pending/ns1/sign.sh
@@ -21,11 +21,11 @@ zonefile=root.db
 cp ../ns2/dsset-example$TP .
 cp ../ns2/dsset-example.com$TP .
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone`
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -g -o $zone $zonefile > /dev/null 2>&1
 
 # Configure the resolving server with a trusted key.
 
diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh
index aa0e956aa8..2e8d68a669 100644
--- a/bin/tests/system/pending/ns2/sign.sh
+++ b/bin/tests/system/pending/ns2/sign.sh
@@ -17,12 +17,12 @@ for domain in example example.com; do
 	infile=${domain}.db.in
 	zonefile=${domain}.db
 
-	keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-	keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
+	keyname1=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+	keyname2=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
 
 	cat $infile $keyname1.key $keyname2.key > $zonefile
 
-	$SIGNER -3 bebe -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+	$SIGNER -3 bebe -o $zone $zonefile > /dev/null 2>&1
 done
 
 # remove "removed" record from example.com, causing the server to
diff --git a/bin/tests/system/pending/setup.sh b/bin/tests/system/pending/setup.sh
index 209b9f5389..29ad0f07f1 100644
--- a/bin/tests/system/pending/setup.sh
+++ b/bin/tests/system/pending/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/pipelined/setup.sh b/bin/tests/system/pipelined/setup.sh
index bbf45d2a23..4563f04145 100644
--- a/bin/tests/system/pipelined/setup.sh
+++ b/bin/tests/system/pipelined/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/pipelined/tests.sh b/bin/tests/system/pipelined/tests.sh
index 1755c02647..a6720ce656 100644
--- a/bin/tests/system/pipelined/tests.sh
+++ b/bin/tests/system/pipelined/tests.sh
@@ -19,7 +19,7 @@ status=0
 
 echo_i "check pipelined TCP queries"
 ret=0
-$PIPEQUERIES -r $RANDFILE -p ${PORT} < input > raw || ret=1
+$PIPEQUERIES -p ${PORT} < input > raw || ret=1
 awk '{ print $1 " " $5 }' < raw > output
 sort < output > output-sorted
 diff ref output-sorted || { ret=1 ; echo_i "diff sorted failed"; }
@@ -43,7 +43,7 @@ status=`expr $status + $ret`
 
 echo_i "check keep-response-order"
 ret=0
-$PIPEQUERIES -r $RANDFILE -p ${PORT} ++ < inputb > rawb || ret=1
+$PIPEQUERIES -p ${PORT} ++ < inputb > rawb || ret=1
 awk '{ print $1 " " $5 }' < rawb > outputb
 diff refb outputb || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
diff --git a/bin/tests/system/pkcs11/setup.sh b/bin/tests/system/pkcs11/setup.sh
index 4fc5ec5b99..cd596198a0 100644
--- a/bin/tests/system/pkcs11/setup.sh
+++ b/bin/tests/system/pkcs11/setup.sh
@@ -33,7 +33,7 @@ if [ "x$have_rsa" != "x" ]; then
             -l "object=robie-rsa-ksk;pin-source=$PWD/pin" rsa.example`
 
     cat $infile $rsazsk1.key $rsaksk.key > $zonefile
-    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+    $SIGNER -a -P -g -o $zone $zonefile \
             > /dev/null 2> signer.err || cat signer.err
     cp $rsazsk2.key ns1/rsa.key
     mv Krsa* ns1
@@ -58,7 +58,7 @@ if [ "x$have_ecc" != "x" ]; then
             -l "object=robie-ecc-ksk;pin-source=$PWD/pin" ecc.example`
 
     cat $infile $ecczsk1.key $eccksk.key > $zonefile
-    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+    $SIGNER -a -P -g -o $zone $zonefile \
         > /dev/null 2> signer.err || cat signer.err
     cp $ecczsk2.key ns1/ecc.key
     mv Kecc* ns1
@@ -86,7 +86,7 @@ if [ "x$have_ecx" != "x" ]; then
 #           -l "object=robie-ecx-ksk;pin-source=$PWD/pin" ecx.example`
 
     cat $infile $ecxzsk1.key $ecxksk.key > $zonefile
-    $SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+    $SIGNER -a -P -g -o $zone $zonefile \
         > /dev/null 2> signer.err || cat signer.err
     cp $ecxzsk2.key ns1/ecx.key
     mv Kecx* ns1
diff --git a/bin/tests/system/pkcs11ssl/setup.sh b/bin/tests/system/pkcs11ssl/setup.sh
index d2fbe922c7..d1fddd2f9e 100644
--- a/bin/tests/system/pkcs11ssl/setup.sh
+++ b/bin/tests/system/pkcs11ssl/setup.sh
@@ -32,7 +32,7 @@ rsaksk=`$KEYFRLAB -a RSASHA1 -f ksk \
         -l "robie-rsa-ksk" rsa.example`
 
 cat $infile $rsazsk1.key $rsaksk.key > $zonefile
-$SIGNER -a -P -g -r $RANDFILE -o $zone $zonefile \
+$SIGNER -a -P -g -o $zone $zonefile \
         > /dev/null 2> signer.err || cat signer.err
 cp $rsazsk2.key ns1/rsa.key
 mv Krsa* ns1
diff --git a/bin/tests/system/redirect/ns1/sign.sh b/bin/tests/system/redirect/ns1/sign.sh
index 3048160f38..719da48363 100644
--- a/bin/tests/system/redirect/ns1/sign.sh
+++ b/bin/tests/system/redirect/ns1/sign.sh
@@ -16,20 +16,20 @@ zone=signed
 infile=example.db
 zonefile=signed.db
 
-key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
-key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
+key1=`$KEYGEN -q -a rsasha256 $zone`
+key2=`$KEYGEN -q -a rsasha256 -fk $zone`
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=nsec3
 infile=example.db
 zonefile=nsec3.db
 
-key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
-key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
+key1=`$KEYGEN -q -a rsasha256 -3 $zone`
+key2=`$KEYGEN -q -a rsasha256 -3 -fk $zone`
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -3 - -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/redirect/ns3/sign.sh b/bin/tests/system/redirect/ns3/sign.sh
index 3048160f38..719da48363 100644
--- a/bin/tests/system/redirect/ns3/sign.sh
+++ b/bin/tests/system/redirect/ns3/sign.sh
@@ -16,20 +16,20 @@ zone=signed
 infile=example.db
 zonefile=signed.db
 
-key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
-key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
+key1=`$KEYGEN -q -a rsasha256 $zone`
+key2=`$KEYGEN -q -a rsasha256 -fk $zone`
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 zone=nsec3
 infile=example.db
 zonefile=nsec3.db
 
-key1=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 $zone`
-key2=`$KEYGEN -q -a rsasha256 -r $RANDFILE -3 -fk $zone`
+key1=`$KEYGEN -q -a rsasha256 -3 $zone`
+key2=`$KEYGEN -q -a rsasha256 -3 -fk $zone`
 
 cat $infile $key1.key $key2.key > $zonefile
 
-$SIGNER -P -3 - -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -3 - -g -o $zone $zonefile > /dev/null
diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh
index 120a98f3d7..c5400205f2 100644
--- a/bin/tests/system/redirect/setup.sh
+++ b/bin/tests/system/redirect/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh
index 6cf7b8cee1..d7ec73438c 100644
--- a/bin/tests/system/resolver/ns6/keygen.sh
+++ b/bin/tests/system/resolver/ns6/keygen.sh
@@ -16,19 +16,19 @@ zone=ds.example.net
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
-zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -b 2048 $zone`
+ksk=`$KEYGEN -q -a rsasha256 -fk $zone`
+zsk=`$KEYGEN -q -a rsasha256 -b 2048 $zone`
 cat $ksk.key $zsk.key >> $zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 zone=example.net
 zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
-ksk=`$KEYGEN -q -a rsasha256 -r $RANDFILE -fk $zone`
-zsk=`$KEYGEN -q -a rsasha256 -r $RANDFILE $zone`
+ksk=`$KEYGEN -q -a rsasha256 -fk $zone`
+zsk=`$KEYGEN -q -a rsasha256 $zone`
 cat $ksk.key $zsk.key dsset-ds.example.net$TP >> $zonefile
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -P -o $zone $zonefile > /dev/null 2>&1
 
 # Configure a trusted key statement (used by delve)
 cat $ksk.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/resolver/setup.sh b/bin/tests/system/resolver/setup.sh
index 665606ccc1..1e9456a327 100644
--- a/bin/tests/system/resolver/setup.sh
+++ b/bin/tests/system/resolver/setup.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cp ns4/tld1.db ns4/tld.db
 cp ns6/to-be-removed.tld.db.in ns6/to-be-removed.tld.db
 cp ns7/server.db.in ns7/server.db
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
index d5cf8b7fbf..cb64dd9b9c 100644
--- a/bin/tests/system/rndc/setup.sh
+++ b/bin/tests/system/rndc/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 $SHELL ../genzone.sh 2 >ns2/nil.db
 $SHELL ../genzone.sh 2 >ns2/other.db
 $SHELL ../genzone.sh 2 >ns2/static.db
@@ -31,7 +29,7 @@ copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 
 make_key () {
-    $RNDCCONFGEN -r $RANDFILE -k key$1 -A $3 -s 10.53.0.4 -p $2 \
+    $RNDCCONFGEN -k key$1 -A $3 -s 10.53.0.4 -p $2 \
             > ns4/key${1}.conf 2> /dev/null
     egrep -v '(^# Start|^# End|^# Use|^[^#])' ns4/key$1.conf | cut -c3- | \
             sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
diff --git a/bin/tests/system/rootkeysentinel/ns1/sign.sh b/bin/tests/system/rootkeysentinel/ns1/sign.sh
index 9f91928694..0fb350ab13 100644
--- a/bin/tests/system/rootkeysentinel/ns1/sign.sh
+++ b/bin/tests/system/rootkeysentinel/ns1/sign.sh
@@ -16,7 +16,7 @@ zone=.
 infile=root.db.in
 zonefile=root.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
 keyid=`expr ${keyname} : 'K.+008+\(.*\)'`
 
 (cd ../ns2 && $SHELL sign.sh ${keyid:-00000} )
@@ -25,7 +25,7 @@ cp ../ns2/dsset-example$TP .
 
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bin/tests/system/rootkeysentinel/ns2/sign.sh
index 861337b730..9d0e62d6c7 100644
--- a/bin/tests/system/rootkeysentinel/ns2/sign.sh
+++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh
@@ -22,8 +22,8 @@ zone=example.
 infile=example.db.in
 zonefile=example.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile
@@ -37,4 +37,4 @@ echo new-not-ta CNAME root-key-sentinel-not-ta-$newid >> $zonefile
 echo bad-is-ta CNAME root-key-sentinel-is-ta-$badid >> $zonefile
 echo bad-not-ta CNAME root-key-sentinel-not-ta-$badid >> $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
diff --git a/bin/tests/system/rootkeysentinel/setup.sh b/bin/tests/system/rootkeysentinel/setup.sh
index 130287b705..df39b24896 100644
--- a/bin/tests/system/rootkeysentinel/setup.sh
+++ b/bin/tests/system/rootkeysentinel/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 355a4aa83d..830139ba55 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -62,12 +62,9 @@ for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wild
     sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db
 done
 
-# sign the root and a zone in ns2
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 # $1=directory, $2=domain name, $3=input zone file, $4=output file
 signzone () {
-    KEYNAME=`$KEYGEN -q -a rsasha256 -r $RANDFILE -K $1 $2`
+    KEYNAME=`$KEYGEN -q -a rsasha256 -K $1 $2`
     cat $1/$3 $1/$KEYNAME.key > $1/tmp
     $SIGNER -Pp -K $1 -o $2 -f $1/$4 $1/tmp >/dev/null
     sed -n -e 's/\(.*\) IN DNSKEY \([0-9]\{1,\} [0-9]\{1,\} [0-9]\{1,\}\) \(.*\)/trusted-keys {"\1" \2 "\3";};/p' $1/$KEYNAME.key >>trusted.conf
diff --git a/bin/tests/system/rsabigexponent/ns1/sign.sh b/bin/tests/system/rsabigexponent/ns1/sign.sh
index 0561519764..1fcb872940 100755
--- a/bin/tests/system/rsabigexponent/ns1/sign.sh
+++ b/bin/tests/system/rsabigexponent/ns1/sign.sh
@@ -18,11 +18,11 @@ zonefile=root.db
 
 cp ../ns2/dsset-example.in dsset-example$TP
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/rsabigexponent/ns2/sign.sh b/bin/tests/system/rsabigexponent/ns2/sign.sh
index da479b2789..0c5cbdd084 100755
--- a/bin/tests/system/rsabigexponent/ns2/sign.sh
+++ b/bin/tests/system/rsabigexponent/ns2/sign.sh
@@ -22,6 +22,6 @@ do
 	cp $i `echo $i | sed s/X/K/`
 done
 
-$SIGNER -r $RANDFILE -g -s 20000101000000 -e 20361231235959 -o $zone \
+$SIGNER -g -s 20000101000000 -e 20361231235959 -o $zone \
 	$infile Kexample.+005+51829 Kexample.+005+51829 \
 	> /dev/null 2> signer.err
diff --git a/bin/tests/system/rsabigexponent/prereq.sh b/bin/tests/system/rsabigexponent/prereq.sh
index 695c074a44..aaca684d62 100644
--- a/bin/tests/system/rsabigexponent/prereq.sh
+++ b/bin/tests/system/rsabigexponent/prereq.sh
@@ -12,8 +12,6 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 if $BIGKEY > /dev/null 2>&1
 then
     rm -f Kexample.*
diff --git a/bin/tests/system/rsabigexponent/setup.sh b/bin/tests/system/rsabigexponent/setup.sh
index 6d4684130f..f25a40f04f 100644
--- a/bin/tests/system/rsabigexponent/setup.sh
+++ b/bin/tests/system/rsabigexponent/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/sfcache/ns1/sign.sh b/bin/tests/system/sfcache/ns1/sign.sh
index 270d2a8b1e..eddee27ed2 100644
--- a/bin/tests/system/sfcache/ns1/sign.sh
+++ b/bin/tests/system/sfcache/ns1/sign.sh
@@ -20,11 +20,11 @@ zonefile=root.db
 
 cp ../ns2/dsset-example$TP .
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh
index 73e55e76ac..709c20c8d5 100644
--- a/bin/tests/system/sfcache/ns2/sign.sh
+++ b/bin/tests/system/sfcache/ns2/sign.sh
@@ -16,9 +16,9 @@ zone=example.
 infile=example.db.in
 zonefile=example.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key >$zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
diff --git a/bin/tests/system/sfcache/prereq.sh b/bin/tests/system/sfcache/prereq.sh
index 9847200dfd..0b7e20cc38 100644
--- a/bin/tests/system/sfcache/prereq.sh
+++ b/bin/tests/system/sfcache/prereq.sh
@@ -12,9 +12,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-$GENRANDOM 800 $RANDFILE
-
-if $KEYGEN -q -a RSAMD5 -b 1024 -n zone -r $RANDFILE foo > /dev/null 2>&1
+if $KEYGEN -q -a RSAMD5 -b 1024 -n zone foo > /dev/null 2>&1
 then
     rm -f Kfoo*
 else
diff --git a/bin/tests/system/sfcache/setup.sh b/bin/tests/system/sfcache/setup.sh
index 1a2453d46c..482c779cf7 100644
--- a/bin/tests/system/sfcache/setup.sh
+++ b/bin/tests/system/sfcache/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
diff --git a/bin/tests/system/smartsign/setup.sh b/bin/tests/system/smartsign/setup.sh
index 2fb9a31687..42a687da64 100644
--- a/bin/tests/system/smartsign/setup.sh
+++ b/bin/tests/system/smartsign/setup.sh
@@ -13,5 +13,3 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
 $SHELL clean.sh
-
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/smartsign/tests.sh b/bin/tests/system/smartsign/tests.sh
index ae12a4c17d..ffd9bf09de 100644
--- a/bin/tests/system/smartsign/tests.sh
+++ b/bin/tests/system/smartsign/tests.sh
@@ -22,52 +22,52 @@ cfile=child.db
 
 echo_i "generating child's keys"
 # active zsk
-czsk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -L 30 $czone`
+czsk1=`$KEYGEN -q -a rsasha1 -L 30 $czone`
 
 # not yet published or active
-czsk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P none -A none $czone`
+czsk2=`$KEYGEN -q -a rsasha1 -P none -A none $czone`
 
 # published but not active
-czsk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -A none $czone`
+czsk3=`$KEYGEN -q -a rsasha1 -A none $czone`
 
 # inactive
-czsk4=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+czsk4=`$KEYGEN -q -a rsasha1 -P now-24h -A now-24h -I now $czone`
 
 # active in 12 hours, inactive 12 hours after that...
-czsk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -P now+12h -A now+12h -I now+24h $czone`
+czsk5=`$KEYGEN -q -a rsasha1 -P now+12h -A now+12h -I now+24h $czone`
 
 # explicit successor to czk5
 # (suppressing warning about lack of removal date)
-czsk6=`$KEYGEN -q -r $RANDFILE -S $czsk5 -i 6h 2>/dev/null` 
+czsk6=`$KEYGEN -q -S $czsk5 -i 6h 2>/dev/null` 
 
 # active ksk
-cksk1=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -L 30 $czone`
+cksk1=`$KEYGEN -q -a rsasha1 -fk -L 30 $czone`
 
 # published but not YET active; will be active in 20 seconds
-cksk2=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
+cksk2=`$KEYGEN -q -a rsasha1 -fk $czone`
 # $SETTIME moved after other $KEYGENs
 
 echo_i "revoking key"
 # revoking key changes its ID
-cksk3=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $czone`
+cksk3=`$KEYGEN -q -a rsasha1 -fk $czone`
 cksk4=`$REVOKE $cksk3`
 
 echo_i "setting up sync key"
-cksk5=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk -P now+1mo -A now+1mo -Psync now $czone`
+cksk5=`$KEYGEN -q -a rsasha1 -fk -P now+1mo -A now+1mo -Psync now $czone`
 
 echo_i "generating parent keys"
-pzsk=`$KEYGEN -q -a rsasha1 -r $RANDFILE $pzone`
-pksk=`$KEYGEN -q -a rsasha1 -r $RANDFILE -fk $pzone`
+pzsk=`$KEYGEN -q -a rsasha1 $pzone`
+pksk=`$KEYGEN -q -a rsasha1 -fk $pzone`
 
 echo_i "setting child's activation time"
 # using now+30s to fix RT 24561
 $SETTIME -A now+30s $cksk2 > /dev/null
 
 echo_i "signing child zone"
-czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
+czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1`
 
 echo_i "signing parent zone"
-pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
+pzoneout=`$SIGNER -Sg -o $pzone $pfile 2>&1`
 
 czactive=`echo $czsk1 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
 czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*\([0-9]\)/\1/'`
@@ -99,8 +99,8 @@ status=`expr $status + $ret`
 echo_i "rechecking dnssec-signzone output with -x"
 ret=0
 # use an alternate output file so -x doesn't interfere with later checks
-pzoneout=`$SIGNER -Sxg -r $RANDFILE -o $pzone -f ${pfile}2.signed $pfile 2>&1`
-czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -r $RANDFILE -o $czone -f ${cfile}2.signed $cfile 2>&1`
+pzoneout=`$SIGNER -Sxg -o $pzone -f ${pfile}2.signed $pfile 2>&1`
+czoneout=`$SIGNER -Sxg -e now+1d -X now+2d -o $czone -f ${cfile}2.signed $cfile 2>&1`
 echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
 echo "$pzoneout" | grep 'ZSKs: 1 active, 0 present, 0 revoked' > /dev/null || ret=1
 echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
@@ -204,7 +204,7 @@ status=`expr $status + $ret`
 echo_i "re-signing and checking imported TTLs again"
 ret=0
 $SETTIME -L 15 ${czsk2} > /dev/null
-czoneout=`$SIGNER -Sg -e now+1d -X now+2d -r $RANDFILE -o $czone $cfile 2>&1`
+czoneout=`$SIGNER -Sg -e now+1d -X now+2d -o $czone $cfile 2>&1`
 awk 'BEGIN {r = 0} $2 == "DNSKEY" && $1 != 15 {r = 1} END {exit r}' \
         ${cfile}.signed || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -325,7 +325,7 @@ status=`expr $status + $ret`
 echo_i "waiting 30 seconds for key activation"
 sleep 30
 echo_i "re-signing child zone"
-czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
+czoneout2=`$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed 2>&1`
 mv $cfile.new $cfile.signed
 
 echo_i "checking dnssec-signzone output matches expectations"
@@ -351,7 +351,7 @@ status=`expr $status + $ret`
 echo_i "checking sync record deletion"
 ret=0
 $SETTIME -P now -A now -Dsync now ${cksk5} > /dev/null
-$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed > /dev/null 2>&1
+$SIGNER -Sg -o $czone -f $cfile.new $cfile.signed > /dev/null 2>&1
 mv $cfile.new $cfile.signed
 grep -w CDNSKEY $cfile.signed > /dev/null && ret=1
 grep -w CDS $cfile.signed > /dev/null && ret=1
diff --git a/bin/tests/system/staticstub/ns3/sign.sh b/bin/tests/system/staticstub/ns3/sign.sh
index 96cc585151..60ddc8b425 100755
--- a/bin/tests/system/staticstub/ns3/sign.sh
+++ b/bin/tests/system/staticstub/ns3/sign.sh
@@ -20,11 +20,11 @@ zonefile=example.db
 
 cp ../ns4/dsset-sub.example$TP .
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone`
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -g -o $zone $zonefile > /dev/null 2>&1
 
 # Configure the resolving server with a trusted key.
 
@@ -41,11 +41,11 @@ EOF
 zone=undelegated
 infile=undelegated.db.in
 zonefile=undelegated.db
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
+keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -a RSASHA256 -b 2048 -f KSK -n zone $zone`
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -g -o $zone $zonefile > /dev/null 2>&1
 
 cat $keyname2.key | grep -v '^; ' | $PERL -n -e '
 local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
diff --git a/bin/tests/system/staticstub/ns4/sign.sh b/bin/tests/system/staticstub/ns4/sign.sh
index f7ed48a8fe..a3b22d7cd7 100755
--- a/bin/tests/system/staticstub/ns4/sign.sh
+++ b/bin/tests/system/staticstub/ns4/sign.sh
@@ -16,9 +16,9 @@ zone=sub.example
 infile=${zone}.db.in
 zonefile=${zone}.db
 
-keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
+keyname1=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+$SIGNER -o $zone $zonefile > /dev/null 2>&1
diff --git a/bin/tests/system/staticstub/setup.sh b/bin/tests/system/staticstub/setup.sh
index 2c9b0c523c..874e99585b 100755
--- a/bin/tests/system/staticstub/setup.sh
+++ b/bin/tests/system/staticstub/setup.sh
@@ -23,6 +23,4 @@ rm -f tmp
 
 copy_setports ns4/named.conf.in ns4/named.conf
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cd ns3 && $SHELL -e sign.sh
diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh
index f400552a0b..4e396dfc3a 100644
--- a/bin/tests/system/synthfromdnssec/ns1/sign.sh
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@@ -16,20 +16,20 @@ zone=example
 infile=example.db.in
 zonefile=example.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone`
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -o $zone $zonefile > /dev/null
 
 zone=.
 infile=root.db.in
 zonefile=root.db
 
-keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSAMD5 -b 1024 -n zone $zone`
 
 cat $infile $keyname.key > $zonefile
 
-$SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -g -o $zone $zonefile > /dev/null
 
 # Configure the resolving server with a trusted key.
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
diff --git a/bin/tests/system/synthfromdnssec/setup.sh b/bin/tests/system/synthfromdnssec/setup.sh
index 9dea6478fe..2b067c5e9b 100644
--- a/bin/tests/system/synthfromdnssec/setup.sh
+++ b/bin/tests/system/synthfromdnssec/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
index 4716cdff40..9fb895cf9f 100644
--- a/bin/tests/system/testcrypto.sh
+++ b/bin/tests/system/testcrypto.sh
@@ -12,11 +12,9 @@
 SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
 . $SYSTEMTESTTOP/conf.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 prog=$0
 
-args="-r $RANDFILE"
+args=""
 alg="-a RSAMD5 -b 1024"
 quiet=0
 
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
index 5155be4097..01331beafc 100644
--- a/bin/tests/system/tkey/ns1/named.conf.in
+++ b/bin/tests/system/tkey/ns1/named.conf.in
@@ -24,7 +24,6 @@ options {
 	tkey-domain "server";
 	tkey-dhkey "server" KEYID;
 	allow-query-cache { any; };
-	random-device "RANDFILE";
 };
 
 key rndc_key {
diff --git a/bin/tests/system/tkey/ns1/setup.sh b/bin/tests/system/tkey/ns1/setup.sh
index c1e2ff3e31..6bf84c7c4b 100644
--- a/bin/tests/system/tkey/ns1/setup.sh
+++ b/bin/tests/system/tkey/ns1/setup.sh
@@ -12,7 +12,7 @@
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
-keyname=`$KEYGEN -T KEY -a DH -b 768 -n host -r $RANDFILE server`
+keyname=`$KEYGEN -T KEY -a DH -b 768 -n host server`
 keyid=`echo $keyname | $PERL -p -e 's/^.*\+0*//;'`
 rm -f named.conf
-sed -e "s;KEYID;$keyid;" -e "s;RANDFILE;$RANDFILE;" < named.conf.in > named.conf
+sed -e "s;KEYID;$keyid;" < named.conf.in > named.conf
diff --git a/bin/tests/system/tkey/setup.sh b/bin/tests/system/tkey/setup.sh
index 96c9881b4d..480b4fc352 100644
--- a/bin/tests/system/tkey/setup.sh
+++ b/bin/tests/system/tkey/setup.sh
@@ -14,6 +14,4 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cd ns1 && $SHELL setup.sh
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
index 53d3ef0022..a293d32b2b 100644
--- a/bin/tests/system/tkey/tests.sh
+++ b/bin/tests/system/tkey/tests.sh
@@ -18,7 +18,7 @@ status=0
 
 echo "I:generating new DH key"
 ret=0
-dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host -r $RANDFILE client` || ret=1
+dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host client` || ret=1
 if [ $ret != 0 ]; then
 	echo "I:failed"
 	status=`expr $status + $ret`
@@ -31,7 +31,7 @@ for owner in . foo.example.
 do
 	echo "I:creating new key using owner name \"$owner\""
 	ret=0
-	keyname=`$KEYCREATE -r $RANDFILE $dhkeyname $owner` || ret=1
+	keyname=`$KEYCREATE $dhkeyname $owner` || ret=1
 	if [ $ret != 0 ]; then
 		echo "I:failed"
 		status=`expr $status + $ret`
@@ -53,7 +53,7 @@ do
 
 	echo "I:deleting new key"
 	ret=0
-	$KEYDELETE -r $RANDFILE $keyname || ret=1
+	$KEYDELETE $keyname || ret=1
 	if [ $ret != 0 ]; then
 		echo "I:failed"
 	fi
@@ -73,7 +73,7 @@ done
 
 echo "I:creating new key using owner name bar.example."
 ret=0
-keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
+keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
 	status=`expr $status + $ret`
@@ -114,7 +114,7 @@ status=`expr $status + $ret`
 
 echo "I:recreating the bar.example. key"
 ret=0
-keyname=`$KEYCREATE -r $RANDFILE $dhkeyname bar.example.` || ret=1
+keyname=`$KEYCREATE $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
 	status=`expr $status + $ret`
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
index f0665fba81..b3e0450b4a 100644
--- a/bin/tests/system/tsig/setup.sh
+++ b/bin/tests/system/tsig/setup.sh
@@ -15,5 +15,3 @@ SYSTEMTESTTOP=..
 $SHELL clean.sh
 
 copy_setports ns1/named.conf.in ns1/named.conf
-
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
index 2a27b50b08..b5f9f1b473 100644
--- a/bin/tests/system/tsig/tests.sh
+++ b/bin/tests/system/tsig/tests.sh
@@ -212,9 +212,9 @@ if $SHELL ../testcrypto.sh -q
 then
   echo_i "check that multiple dnssec-keygen calls don't emit dns_dnssec_findmatchingkeys warning"
   ret=0
-  $KEYGEN -r $RANDFILE -a dh -b 128 -n host example.net > keygen.out1 2>&1 || ret=1
+  $KEYGEN -a dh -b 128 -n host example.net > keygen.out1 2>&1 || ret=1
   grep dns_dnssec_findmatchingkeys keygen.out1 > /dev/null && ret=1
-  $KEYGEN -r $RANDFILE -a dh -b 128 -n host example.net > keygen.out2 2>&1 || ret=1
+  $KEYGEN -a dh -b 128 -n host example.net > keygen.out2 2>&1 || ret=1
   grep dns_dnssec_findmatchingkeys keygen.out2 > /dev/null && ret=1
   if [ $ret -eq 1 ] ; then
 	  echo_i "failed"; status=1
@@ -223,7 +223,7 @@ fi
 
 echo_i "check that dnssec-keygen won't generate TSIG keys"
 ret=0
-$KEYGEN -r $RANDFILE -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
+$KEYGEN -a hmac-sha256 -b 128 -n host example.net > keygen.out3 2>&1 && ret=1
 grep "unknown algorithm" keygen.out3 > /dev/null || ret=1
 
 echo_i "exit status: $status"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
index fc3164f0c2..7350f0221d 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -14,9 +14,7 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -r $RANDFILE -n HOST -T KEY key.example.nil.`
+key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -n HOST -T KEY key.example.nil.`
 cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
index b489d7b162..3726e14c7a 100644
--- a/bin/tests/system/tsiggss/tests.sh
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -69,7 +69,7 @@ test_update testcname.example.nil. TXT "86400 A 10.53.0.13" "10.53.0.13" > /dev/
 
 echo "I:testing external policy with SIG(0) key"
 ret=0
-$NSUPDATE -R $RANDFILE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
 server 10.53.0.1 ${PORT}
 zone example.nil
 update add fred.example.nil 120 cname foo.bar.
diff --git a/bin/tests/system/unknown/ns3/sign.sh b/bin/tests/system/unknown/ns3/sign.sh
index e5e1173e01..854047aadb 100644
--- a/bin/tests/system/unknown/ns3/sign.sh
+++ b/bin/tests/system/unknown/ns3/sign.sh
@@ -15,5 +15,5 @@ SYSTEMTESTTOP=../..
 zone=example
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
-keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone $zone`
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone -f KSK $zone`
diff --git a/bin/tests/system/unknown/setup.sh b/bin/tests/system/unknown/setup.sh
index d8f85c17bd..49d72d24f2 100644
--- a/bin/tests/system/unknown/setup.sh
+++ b/bin/tests/system/unknown/setup.sh
@@ -12,8 +12,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index 93e394930f..7a16adac8c 100644
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -24,8 +24,7 @@ copy_setports ns3/named.conf.in ns3/named.conf
 #
 # SIG(0) required cryptographic support which may not be configured.
 #
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-keyname=`$KEYGEN  -q -r $RANDFILE -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>/dev/null | $D2U`
+keyname=`$KEYGEN  -q -n HOST -a RSASHA1 -b 1024 -T KEY sig0.example2 2>/dev/null | $D2U`
 if test -n "$keyname"
 then
 	cat ns1/example1.db $keyname.key > ns1/example2.db
diff --git a/bin/tests/system/verify/setup.sh b/bin/tests/system/verify/setup.sh
index af4b6026ad..b43fff26b2 100644
--- a/bin/tests/system/verify/setup.sh
+++ b/bin/tests/system/verify/setup.sh
@@ -14,6 +14,4 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh 
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 (cd zones && $SHELL genzones.sh)
diff --git a/bin/tests/system/verify/zones/genzones.sh b/bin/tests/system/verify/zones/genzones.sh
index 66c6da23d6..f5ca606b8e 100644
--- a/bin/tests/system/verify/zones/genzones.sh
+++ b/bin/tests/system/verify/zones/genzones.sh
@@ -30,83 +30,83 @@ cp unsigned.db unsigned.bad
 
 # A set of nsec zones.
 setup zsk-only.nsec good
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk-only.nsec good
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk+zsk.nsec good
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 # A set of nsec3 zones.
 setup zsk-only.nsec3 good
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk-only.nsec3 good
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk+zsk.nsec3 good
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk+zsk.outout good
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - -A -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 # A set of zones with only DNSKEY records.
 setup zsk-only.dnskeyonly bad
-key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
+key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n
 cat unsigned.db $key1.key > ${file}
 
 setup ksk-only.dnskeyonly bad
-key1=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
+key1=`$KEYGEN -a rsasha256 -fK ${zone} 2>kg.out` || dumpit kg.out$n
 cat unsigned.db $key1.key > ${file}
 
 setup ksk+zsk.dnskeyonly bad
-key1=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2>kg.out` || dumpit kg.out$n
-key2=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2>kg.out` || dumpit kg.out$n
+key1=`$KEYGEN -a rsasha256 ${zone} 2>kg.out` || dumpit kg.out$n
+key2=`$KEYGEN -a rsasha256 -fK ${zone} 2>kg.out` || dumpit kg.out$n
 cat unsigned.db $key1.key $key2.key > ${file}
 
 # A set of zones with expired records
 s="-s -2678400"
 setup zsk-only.nsec.expired bad
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk-only.nsec.expired bad
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -SPz ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk+zsk.nsec.expired bad
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -SP ${s} -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup zsk-only.nsec3.expired bad
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 ${zone}> kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - ${s} -SP -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk-only.nsec3.expired bad
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg.out$n 2>&1 || dumpit kg.out$n
 $SIGNER -3 - ${s} -SPz -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 setup ksk+zsk.nsec3.expired bad
-$KEYGEN -a rsasha256 -r $RANDFILE ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
-$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
+$KEYGEN -a rsasha256 ${zone} > kg1.out$n 2>&1 || dumpit kg1.out$n
+$KEYGEN -a rsasha256 -fK ${zone} > kg2.out$n 2>&1 || dumpit kg2.out$n
 $SIGNER -3 - ${s} -SPx -o ${zone} -f ${file} unsigned.db > s.out$n 2>&1 || dumpit s.out$n
 
 # ksk expired
 setup ksk+zsk.nsec.ksk-expired bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
 $SIGNER ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
@@ -115,8 +115,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
 [ "${exp:-40001231246060}" -lt ${now:-0} ] || dumpit $file
 
 setup ksk+zsk.nsec3.ksk-expired bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -3 - -Px -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>&1 || dumpit s.out$n
 $SIGNER -3 - ${s} -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
@@ -126,8 +126,8 @@ exp=`awk '$4 == "RRSIG" && $5 == "DNSKEY" { print $9;}' ${file}`
 
 # broken nsec chain
 setup ksk+zsk.nsec.broken-chain bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 awk '$4 == "NSEC" { $5 = "'$zone'."; print } { print }' ${file} > ${file}.tmp
@@ -135,8 +135,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
 
 # bad nsec bitmap
 setup ksk+zsk.nsec.bad-bitmap bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 awk '$4 == "NSEC" && /SOA/ { $6=""; print } { print }' ${file} > ${file}.tmp
@@ -144,8 +144,8 @@ $SIGNER -Px -Z nonsecify -o ${zone} -f ${file} ${file}.tmp $zsk > s.out$n 2>&1 |
 
 # extra NSEC record out side of zone
 setup ksk+zsk.nsec.out-of-zone-nsec bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 echo "out-of-zone. 3600 IN NSEC ${zone}. A" >> ${file}
@@ -153,8 +153,8 @@ $SIGNER -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file} $zsk > s.out$n 2>
 
 # extra NSEC record below bottom of one
 setup ksk+zsk.nsec.below-bottom-of-zone-nsec bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 echo "ns.sub.${zone}. 3600 IN NSEC ${zone}. A AAAA" >> ${file}
@@ -166,8 +166,8 @@ awk '$1 ~ /^ns.sub/ && $4 == "RRSIG" && $5 != "NSEC" { next; } { print; }' ${fil
 # extract the hash fields from the empty node's NSEC 3 record then fix up
 # the NSEC3 chain to remove it
 setup ksk+zsk.nsec3.missing-empty bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 a=`awk '$4 == "NSEC3" && NF == 9 { split($1, a, "."); print a[1]; }' ${file}`
@@ -180,8 +180,8 @@ $SIGNER -3 - -Px -Z nonsecify -O full -o ${zone} -f ${file} ${file}.tmp $zsk > s
 
 # extra NSEC3 record
 setup ksk+zsk.nsec3.extra-nsec3 bad
-zsk=`$KEYGEN -a rsasha256 -r $RANDFILE ${zone} 2> kg1.out$n` || dumpit kg1.out$n
-ksk=`$KEYGEN -a rsasha256 -r $RANDFILE -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
+zsk=`$KEYGEN -a rsasha256 ${zone} 2> kg1.out$n` || dumpit kg1.out$n
+ksk=`$KEYGEN -a rsasha256 -fK ${zone} 2> kg2.out$n` || dumpit kg2.out$n
 cat unsigned.db $ksk.key $zsk.key > $file
 $SIGNER -3 - -P -O full -o ${zone} -f ${file} ${file} $ksk > s.out$n 2>&1 || dumpit s.out$n
 awk '
diff --git a/bin/tests/system/views/setup.sh b/bin/tests/system/views/setup.sh
index 38804205b6..e5440e3167 100644
--- a/bin/tests/system/views/setup.sh
+++ b/bin/tests/system/views/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 cp -f ns2/example1.db ns2/example.db
 rm -f ns2/external/K*
 rm -f ns2/external/inline.db.signed
@@ -34,11 +32,11 @@ copy_setports ns5/named.conf.in ns5/named.conf
 # same source of "random" data and we want different keys for
 # internal and external instances of inline.
 #
-$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
-$KEYGEN -K ns2/internal -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
-k1=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline 2> /dev/null`
-k2=`$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline 2> /dev/null`
-$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -q inline > /dev/null 2>&1
-$KEYGEN -K ns2/external -r $RANDFILE -a rsasha256 -qfk inline > /dev/null 2>&1
+$KEYGEN -K ns2/internal -a rsasha256 -q inline > /dev/null 2>&1
+$KEYGEN -K ns2/internal -a rsasha256 -qfk inline > /dev/null 2>&1
+k1=`$KEYGEN -K ns2/external -a rsasha256 -q inline 2> /dev/null`
+k2=`$KEYGEN -K ns2/external -a rsasha256 -qfk inline 2> /dev/null`
+$KEYGEN -K ns2/external -a rsasha256 -q inline > /dev/null 2>&1
+$KEYGEN -K ns2/external -a rsasha256 -qfk inline > /dev/null 2>&1
 test -n "$k1" && rm -f ns2/external/$k1.*
 test -n "$k2" && rm -f ns2/external/$k2.*
diff --git a/bin/tests/system/wildcard/ns1/sign.sh b/bin/tests/system/wildcard/ns1/sign.sh
index 2c3ee9ab55..18d78e694d 100755
--- a/bin/tests/system/wildcard/ns1/sign.sh
+++ b/bin/tests/system/wildcard/ns1/sign.sh
@@ -22,12 +22,12 @@ zonefile=dlv.db
 outfile=dlv.db.signed
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=nsec.
@@ -36,12 +36,12 @@ zonefile=nsec.db
 outfile=nsec.db.signed
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=private.nsec.
@@ -49,12 +49,12 @@ infile=private.nsec.db.in
 zonefile=private.nsec.db
 outfile=private.nsec.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 grep -v '^;' $keyname2.key | $PERL -n -e '
@@ -73,12 +73,12 @@ zonefile=nsec3.db
 outfile=nsec3.db.signed
 dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
 
-keyname1=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -r $RANDFILE -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 zone=private.nsec3.
@@ -86,12 +86,12 @@ infile=private.nsec3.db.in
 zonefile=private.nsec3.db
 outfile=private.nsec3.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null` 
+keyname2=`$KEYGEN -f KSK -a NSEC3RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key > $zonefile
 
-$SIGNER -r $RANDFILE -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -3 - -H 10 -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 grep -v '^;' $keyname2.key | $PERL -n -e '
@@ -109,12 +109,12 @@ infile=root.db.in
 zonefile=root.db
 outfile=root.db.signed
 
-keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a RSASHA1 -b 1024 -n zone $zone 2> /dev/null`
 
 cat $infile $keyname1.key $keyname2.key $dssets >$zonefile
 
-$SIGNER -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+$SIGNER -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
 echo_i "signed $zone"
 
 grep -v '^;' $keyname2.key | $PERL -n -e '
diff --git a/bin/tests/system/wildcard/setup.sh b/bin/tests/system/wildcard/setup.sh
index 2feddbd74b..b1982ddfc5 100644
--- a/bin/tests/system/wildcard/setup.sh
+++ b/bin/tests/system/wildcard/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/zonechecks/setup.sh b/bin/tests/system/zonechecks/setup.sh
index 9a24704486..dcd8e4c2c8 100644
--- a/bin/tests/system/zonechecks/setup.sh
+++ b/bin/tests/system/zonechecks/setup.sh
@@ -14,8 +14,6 @@ SYSTEMTESTTOP=..
 
 $SHELL clean.sh
 
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 
@@ -25,8 +23,8 @@ cp bigserial.db ns1/
 cd ns1
 touch master.db.signed
 echo '$INCLUDE "master.db.signed"' >> master.db
-$KEYGEN -r $RANDFILE -a rsasha256 -q master.example > /dev/null 2>&1
-$KEYGEN -r $RANDFILE -a rsasha256 -qfk master.example > /dev/null 2>&1
+$KEYGEN -a rsasha256 -q master.example > /dev/null 2>&1
+$KEYGEN -a rsasha256 -qfk master.example > /dev/null 2>&1
 $SIGNER -SD -o master.example master.db > /dev/null \
     2> signer.err || cat signer.err
 echo '$INCLUDE "soa.db"' > reload.db
diff --git a/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh b/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
index acccdf06ae..a1ee51d2e4 100644
--- a/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
+++ b/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh
@@ -12,22 +12,19 @@
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
-RANDFILE=../random.data1
-RANDFILE2=../random.data2
-
 zone=example.
 infile=example.db.in
 zonefile=example.db
 
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+zskname=`$KEYGEN -q -a RSASHA1 -b 768 -n zone $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -b 1024 -f KSK -n zone $zone`
 
 cat $infile $zskname.key $kskname.key > $zonefile
 
-$SIGNER -P -e +1000d -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -e +1000d -o $zone $zonefile > /dev/null
 
 # ksk
-keyname=`$KEYGEN -q -r $RANDFILE2 -a RSASHA1 -b 1024 -n zone \
+keyname=`$KEYGEN -q -a RSASHA1 -b 1024 -n zone \
 	-f KSK -P +20 -A +1h -R +6h -I +1d -D +1mo $zone`
 
 echo $keyname > keyname
diff --git a/bin/tests/virtual-time/autosign-ksk/setup.sh b/bin/tests/virtual-time/autosign-ksk/setup.sh
index 85a723a38f..504e997652 100644
--- a/bin/tests/virtual-time/autosign-ksk/setup.sh
+++ b/bin/tests/virtual-time/autosign-ksk/setup.sh
@@ -13,9 +13,5 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 . ./clean.sh
 
-../../../tools/genrandom 800 random.data
-dd if=random.data of=random.data1 bs=1k count=400 2> /dev/null
-dd if=random.data of=random.data2 bs=1k skip=400 2> /dev/null
-
 cd ns1 && sh sign.sh
 
diff --git a/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh b/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
index d0723db192..fe0d23f04a 100644
--- a/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
+++ b/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh
@@ -12,22 +12,19 @@
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
 
-RANDFILE=../random.data1
-RANDFILE2=../random.data2
-
 zone=example.
 infile=example.db.in
 zonefile=example.db
 
-zskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
-kskname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+zskname=`$KEYGEN -q  -a RSASHA1 -b 768 -n zone $zone`
+kskname=`$KEYGEN -q -a RSASHA1 -b 1024 -f KSK -n zone $zone`
 
 cat $infile $zskname.key $kskname.key > $zonefile
 
-$SIGNER -P -e +1000d -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -P -e +1000d -o $zone $zonefile > /dev/null
 
 # zsk, no -R
-keyname=`$KEYGEN -q -r $RANDFILE2 -a RSASHA1 -b 768 -n zone \
+keyname=`$KEYGEN -q -a RSASHA1 -b 768 -n zone \
 	-P +20 -A +1h -I +1d -D +1mo $zone`
 
 echo $keyname > keyname
diff --git a/bin/tests/virtual-time/autosign-zsk/setup.sh b/bin/tests/virtual-time/autosign-zsk/setup.sh
index 85a723a38f..504e997652 100644
--- a/bin/tests/virtual-time/autosign-zsk/setup.sh
+++ b/bin/tests/virtual-time/autosign-zsk/setup.sh
@@ -13,9 +13,5 @@ SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 . ./clean.sh
 
-../../../tools/genrandom 800 random.data
-dd if=random.data of=random.data1 bs=1k count=400 2> /dev/null
-dd if=random.data of=random.data2 bs=1k skip=400 2> /dev/null
-
 cd ns1 && sh sign.sh
 
diff --git a/bin/tools/.gitignore b/bin/tools/.gitignore
index 088ac8f730..8543207af3 100644
--- a/bin/tools/.gitignore
+++ b/bin/tools/.gitignore
@@ -1,6 +1,5 @@
 arpaname
 dnstap-read
-genrandom
 mdig
 named-journalprint
 named-nzd2nzf
diff --git a/bin/tools/Makefile.in b/bin/tools/Makefile.in
index e8f5dfdf19..8617592838 100644
--- a/bin/tools/Makefile.in
+++ b/bin/tools/Makefile.in
@@ -41,20 +41,20 @@ DNSTAPTARGETS =	dnstap-read@EXEEXT@
 NZDTARGETS =	named-nzd2nzf@EXEEXT@
 TARGETS =	arpaname@EXEEXT@ named-journalprint@EXEEXT@ \
 		named-rrchecker@EXEEXT@ nsec3hash@EXEEXT@ \
-		genrandom@EXEEXT@ mdig@EXEEXT@ \
+		mdig@EXEEXT@ \
 		@DNSTAPTARGETS@ @NZDTARGETS@
 
 DNSTAPSRCS  =	dnstap-read.c
 NZDSRCS  =	named-nzd2nzf.c
 SRCS =		arpaname.c named-journalprint.c named-rrchecker.c \
-		nsec3hash.c genrandom.c mdig.c \
+		nsec3hash.c mdig.c \
 		@DNSTAPSRCS@ @NZDSRCS@
 
-MANPAGES =	arpaname.1 dnstap-read.1 genrandom.8 \
+MANPAGES =	arpaname.1 dnstap-read.1 \
 		mdig.1 named-journalprint.8 \
 		named-nzd2nzf.8 named-rrchecker.1 nsec3hash.8
 
-HTMLPAGES =	arpaname.html dnstap-read.html genrandom.html \
+HTMLPAGES =	arpaname.html dnstap-read.html \
 		mdig.html named-journalprint.html \
 		named-nzd2nzf.html named-rrchecker.html nsec3hash.html
 
@@ -81,10 +81,6 @@ nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 	export LIBS0="${DNSLIBS} ${ISCLIBS}"; \
 	${FINALBUILDCMD}
 
-genrandom@EXEEXT@: genrandom.@O@
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
-		-o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
-
 mdig@EXEEXT@: mdig.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS}
 	export BASEOBJS="mdig.@O@"; \
 	export LIBS0="${DNSLIBS} ${BIND9LIBS}"; \
@@ -130,28 +126,22 @@ install:: ${TARGETS} installdirs @DNSTAP@ @NZD_TOOLS@
 		${DESTDIR}${bindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ \
 		${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ \
-		${DESTDIR}${sbindir}
 	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} mdig@EXEEXT@ \
 		${DESTDIR}${bindir}
 	${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
 	${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/named-rrchecker.1 ${DESTDIR}${mandir}/man1
 	${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
 	${INSTALL_DATA} ${srcdir}/mdig.1 ${DESTDIR}${mandir}/man1
 
 uninstall::
 	rm -f ${DESTDIR}${mandir}/man1/mdig.1
-	rm -f ${DESTDIR}${mandir}/man8/genrandom.8
 	rm -f ${DESTDIR}${mandir}/man8/nsec3hash.8
 	rm -f ${DESTDIR}${mandir}/man1/named-rrchecker.1
 	rm -f ${DESTDIR}${mandir}/man8/named-journalprint.8
 	rm -f ${DESTDIR}${mandir}/man1/arpaname.1
 	${LIBTOOL_MODE_UNINSTALL} rm -f \
 		${DESTDIR}${bindir}/mdig@EXEEXT@
-	${LIBTOOL_MODE_UNINSTALL} rm -f \
-		${DESTDIR}${sbindir}/genrandom@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f \
 		${DESTDIR}${sbindir}/nsec3hash@EXEEXT@
 	${LIBTOOL_MODE_UNINSTALL} rm -f \
diff --git a/bin/tools/genrandom.8 b/bin/tools/genrandom.8
deleted file mode 100644
index 4d44491295..0000000000
--- a/bin/tools/genrandom.8
+++ /dev/null
@@ -1,77 +0,0 @@
-.\" Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" This Source Code Form is subject to the terms of the Mozilla Public
-.\" License, v. 2.0. If a copy of the MPL was not distributed with this
-.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
-.\"
-.hy 0
-.ad l
-'\" t
-.\"     Title: genrandom
-.\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2011-08-08
-.\"    Manual: BIND9
-.\"    Source: ISC
-.\"  Language: English
-.\"
-.TH "GENRANDOM" "8" "2011\-08\-08" "ISC" "BIND9"
-.\" -----------------------------------------------------------------
-.\" * Define some portability stuff
-.\" -----------------------------------------------------------------
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" http://bugs.debian.org/507673
-.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.ie \n(.g .ds Aq \(aq
-.el       .ds Aq '
-.\" -----------------------------------------------------------------
-.\" * set default formatting
-.\" -----------------------------------------------------------------
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.\" -----------------------------------------------------------------
-.\" * MAIN CONTENT STARTS HERE *
-.\" -----------------------------------------------------------------
-.SH "NAME"
-genrandom \- generate a file containing random data
-.SH "SYNOPSIS"
-.HP \w'\fBgenrandom\fR\ 'u
-\fBgenrandom\fR [\fB\-n\ \fR\fB\fInumber\fR\fR] {\fIsize\fR} {\fIfilename\fR}
-.SH "DESCRIPTION"
-.PP
-\fBgenrandom\fR
-generates a file or a set of files containing a specified quantity of pseudo\-random data, which can be used as a source of entropy for other commands on systems with no random device\&.
-.SH "ARGUMENTS"
-.PP
-\-n \fInumber\fR
-.RS 4
-In place of generating one file, generates
-\fBnumber\fR
-(from 2 to 9) files, appending
-\fBnumber\fR
-to the name\&.
-.RE
-.PP
-size
-.RS 4
-The size of the file, in kilobytes, to generate\&.
-.RE
-.PP
-filename
-.RS 4
-The file name into which random data should be written\&.
-.RE
-.SH "SEE ALSO"
-.PP
-\fBrand\fR(3),
-\fBarc4random\fR(3)
-.SH "AUTHOR"
-.PP
-\fBInternet Systems Consortium, Inc\&.\fR
-.SH "COPYRIGHT"
-.br
-Copyright \(co 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
diff --git a/bin/tools/genrandom.c b/bin/tools/genrandom.c
deleted file mode 100644
index 40dadbe646..0000000000
--- a/bin/tools/genrandom.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-
-/*! \file */
-#include <config.h>
-
-#include <isc/commandline.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-#include <stdio.h>
-#include <string.h>
-
-const char *program = "genrandom";
-
-ISC_PLATFORM_NORETURN_PRE static void
-usage(void) ISC_PLATFORM_NORETURN_POST;
-
-static void
-usage(void) {
-	fprintf(stderr, "usage: %s [-n 2..9] k file\n", program);
-	exit(1);
-}
-
-static void
-generate(char *filename, unsigned int bytes) {
-	FILE *fp;
-
-	fp = fopen(filename, "w");
-	if (fp == NULL) {
-		printf("failed to open %s\n", filename);
-		exit(1);
-	}
-
-	while (bytes > 0) {
-#ifndef HAVE_ARC4RANDOM
-		unsigned short int x = (rand() & 0xFFFF);
-#else
-		unsigned short int x = (arc4random() & 0xFFFF);
-#endif
-		unsigned char c = x & 0xFF;
-		if (putc(c, fp) == EOF) {
-			printf("error writing to %s\n", filename);
-			exit(1);
-		}
-		c = x >> 8;
-		if (putc(c, fp) == EOF) {
-			printf("error writing to %s\n", filename);
-			exit(1);
-		}
-		bytes -= 2;
-	}
-	fclose(fp);
-}
-
-int
-main(int argc, char **argv) {
-	unsigned int bytes;
-	unsigned int k;
-	char *endp;
-	int c, i, n = 1;
-	size_t len;
-	char *name;
-
-	isc_commandline_errprint = ISC_FALSE;
-
-	while ((c = isc_commandline_parse(argc, argv, "hn:")) != EOF) {
-		switch (c) {
-		case 'n':
-			n = strtol(isc_commandline_argument, &endp, 10);
-			if ((*endp != 0) || (n <= 1) || (n > 9))
-				usage();
-			break;
-
-		case '?':
-			if (isc_commandline_option != '?')
-				fprintf(stderr, "%s: invalid argument -%c\n",
-					program, isc_commandline_option);
-			/* FALLTHROUGH */
-		case 'h':
-			usage();
-
-		default:
-			fprintf(stderr, "%s: unhandled option -%c\n",
-				program, isc_commandline_option);
-			exit(1);
-		}
-	}
-
-	if (isc_commandline_index + 2 != argc)
-		usage();
-
-	k = strtoul(argv[isc_commandline_index++], &endp, 10);
-	if (*endp != 0)
-		usage();
-	bytes = k << 10;
-
-#ifndef HAVE_ARC4RANDOM
-	srand(0x12345678);
-#endif
-	if (n == 1) {
-		generate(argv[isc_commandline_index], bytes);
-		return (0);
-	}
-
-	len = strlen(argv[isc_commandline_index]);
-	INSIST((len + 2) > len);
-	len += 2;
-	name = (char *) malloc(len);
-	if (name == NULL) {
-		perror("malloc");
-		exit(1);
-	}
-
-	for (i = 1; i <= n; i++) {
-		snprintf(name, len, "%s%d", argv[isc_commandline_index], i);
-		generate(name, bytes);
-	}
-	free(name);
-
-	return (0);
-}
diff --git a/bin/tools/genrandom.docbook b/bin/tools/genrandom.docbook
deleted file mode 100644
index b4f369a933..0000000000
--- a/bin/tools/genrandom.docbook
+++ /dev/null
@@ -1,110 +0,0 @@
-<!--
- - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- -
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
- -
- - See the COPYRIGHT file distributed with this work for additional
- - information regarding copyright ownership.
--->
-
-<!-- Converted by db4-upgrade version 1.0 -->
-<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.genrandom">
-  <info>
-    <date>2011-08-08</date>
-  </info>
-  <refentryinfo>
-    <corpname>ISC</corpname>
-    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>genrandom</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>genrandom</application></refname>
-    <refpurpose>generate a file containing random data</refpurpose>
-  </refnamediv>
-
-  <docinfo>
-    <copyright>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2011</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
-      <year>2018</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refsynopsisdiv>
-    <cmdsynopsis sepchar=" ">
-      <command>genrandom</command>
-      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">number</replaceable></option></arg>
-      <arg choice="req" rep="norepeat"><replaceable class="parameter">size</replaceable></arg>
-      <arg choice="req" rep="norepeat"><replaceable class="parameter">filename</replaceable></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsection><info><title>DESCRIPTION</title></info>
-
-    <para>
-      <command>genrandom</command>
-      generates a file or a set of files containing a specified quantity
-      of pseudo-random data, which can be used as a source of entropy for
-      other commands on systems with no random device.
-    </para>
-  </refsection>
-
-  <refsection><info><title>ARGUMENTS</title></info>
-
-    <variablelist>
-      <varlistentry>
-        <term>-n <replaceable class="parameter">number</replaceable></term>
-        <listitem>
-          <para>
-            In place of generating one file, generates <option>number</option>
-            (from 2 to 9) files, appending <option>number</option> to the name.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>size</term>
-        <listitem>
-          <para>
-            The size of the file, in kilobytes, to generate.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-        <listitem>
-          <para>
-            The file name into which random data should be written.
-          </para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-  </refsection>
-
-  <refsection><info><title>SEE ALSO</title></info>
-
-    <para>
-      <citerefentry>
-        <refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>arc4random</refentrytitle><manvolnum>3</manvolnum>
-      </citerefentry>
-    </para>
-  </refsection>
-
-</refentry>
diff --git a/bin/tools/genrandom.html b/bin/tools/genrandom.html
deleted file mode 100644
index d2b64a7153..0000000000
--- a/bin/tools/genrandom.html
+++ /dev/null
@@ -1,93 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<!--
- - Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
--->
-<html lang="en">
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>genrandom</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
-<a name="man.genrandom"></a><div class="titlepage"></div>
-  
-  
-
-  
-
-  <div class="refnamediv">
-<h2>Name</h2>
-<p>
-    <span class="application">genrandom</span>
-     &#8212; generate a file containing random data
-  </p>
-</div>
-
-  
-
-  <div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-    <div class="cmdsynopsis"><p>
-      <code class="command">genrandom</code> 
-       [<code class="option">-n <em class="replaceable"><code>number</code></em></code>]
-       {<em class="replaceable"><code>size</code></em>}
-       {<em class="replaceable"><code>filename</code></em>}
-    </p></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.7"></a><h2>DESCRIPTION</h2>
-
-    <p>
-      <span class="command"><strong>genrandom</strong></span>
-      generates a file or a set of files containing a specified quantity
-      of pseudo-random data, which can be used as a source of entropy for
-      other commands on systems with no random device.
-    </p>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.8"></a><h2>ARGUMENTS</h2>
-
-    <div class="variablelist"><dl class="variablelist">
-<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
-<dd>
-          <p>
-            In place of generating one file, generates <code class="option">number</code>
-            (from 2 to 9) files, appending <code class="option">number</code> to the name.
-          </p>
-        </dd>
-<dt><span class="term">size</span></dt>
-<dd>
-          <p>
-            The size of the file, in kilobytes, to generate.
-          </p>
-        </dd>
-<dt><span class="term">filename</span></dt>
-<dd>
-          <p>
-            The file name into which random data should be written.
-          </p>
-        </dd>
-</dl></div>
-  </div>
-
-  <div class="refsection">
-<a name="id-1.9"></a><h2>SEE ALSO</h2>
-
-    <p>
-      <span class="citerefentry">
-        <span class="refentrytitle">rand</span>(3)
-      </span>,
-      <span class="citerefentry">
-        <span class="refentrytitle">arc4random</span>(3)
-      </span>
-    </p>
-  </div>
-
-</div></body>
-</html>
diff --git a/bin/tools/win32/genrandom.vcxproj.filters.in b/bin/tools/win32/genrandom.vcxproj.filters.in
deleted file mode 100644
index 6e97767d19..0000000000
--- a/bin/tools/win32/genrandom.vcxproj.filters.in
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <Filter Include="Source Files">
-      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
-      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
-    </Filter>
-    <Filter Include="Resource Files">
-      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
-      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClCompile Include="..\genrandom.c">
-      <Filter>Source Files</Filter>
-    </ClCompile>
-  </ItemGroup>
-</Project>
\ No newline at end of file
diff --git a/bin/tools/win32/genrandom.vcxproj.in b/bin/tools/win32/genrandom.vcxproj.in
deleted file mode 100644
index 22fc0959be..0000000000
--- a/bin/tools/win32/genrandom.vcxproj.in
+++ /dev/null
@@ -1,110 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="Debug|@PLATFORM@">
-      <Configuration>Debug</Configuration>
-      <Platform>@PLATFORM@</Platform>
-    </ProjectConfiguration>
-    <ProjectConfiguration Include="Release|@PLATFORM@">
-      <Configuration>Release</Configuration>
-      <Platform>@PLATFORM@</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>{B4AC7F81-E3DC-43E9-B339-4FA5149FA8F7}</ProjectGuid>
-    <Keyword>Win32Proj</Keyword>
-    <RootNamespace>genrandom</RootNamespace>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>true</UseDebugLibraries>
-    <CharacterSet>MultiByte</CharacterSet>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
-    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>MultiByte</CharacterSet>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
-    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
-  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
-    <LinkIncremental>true</LinkIncremental>
-    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
-    <IntDir>.\$(Configuration)\</IntDir>
-  </PropertyGroup>
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
-    <LinkIncremental>false</LinkIncremental>
-    <OutDir>..\..\..\Build\$(Configuration)\</OutDir>
-    <IntDir>.\$(Configuration)\</IntDir>
-  </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|@PLATFORM@'">
-    <ClCompile>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <WarningLevel>Level3</WarningLevel>
-      <Optimization>Disabled</Optimization>
-      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
-      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
-      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
-      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <BrowseInformation>true</BrowseInformation>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <CompileAs>CompileAsC</CompileAs>
-    </ClCompile>
-    <Link>
-      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>true</GenerateDebugInformation>
-      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
-    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
-      <PrecompiledHeader>
-      </PrecompiledHeader>
-      <Optimization>MaxSpeed</Optimization>
-      <FunctionLevelLinking>true</FunctionLevelLinking>
-      <IntrinsicFunctions>@INTRINSIC@</IntrinsicFunctions>
-      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <WholeProgramOptimization>false</WholeProgramOptimization>
-      <StringPooling>true</StringPooling>
-      <PrecompiledHeaderOutputFile>.\$(Configuration)\$(TargetName).pch</PrecompiledHeaderOutputFile>
-      <AssemblerListingLocation>.\$(Configuration)\</AssemblerListingLocation>
-      <ObjectFileName>.\$(Configuration)\</ObjectFileName>
-      <ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
-      <AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <CompileAs>CompileAsC</CompileAs>
-    </ClCompile>
-    <Link>
-      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>false</GenerateDebugInformation>
-      <EnableCOMDATFolding>true</EnableCOMDATFolding>
-      <OptimizeReferences>true</OptimizeReferences>
-      <OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
-      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
-      <AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
-      <AdditionalDependencies>libisc.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemGroup>
-    <ClCompile Include="..\genrandom.c" />
-  </ItemGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-</Project>
diff --git a/bin/tools/win32/genrandom.vcxproj.user b/bin/tools/win32/genrandom.vcxproj.user
deleted file mode 100644
index 695b5c78b9..0000000000
--- a/bin/tools/win32/genrandom.vcxproj.user
+++ /dev/null
@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-</Project>
\ No newline at end of file
diff --git a/bin/win32/BINDInstall/BINDInstallDlg.cpp b/bin/win32/BINDInstall/BINDInstallDlg.cpp
index 1cbec5ccb7..8f91f556d5 100644
--- a/bin/win32/BINDInstall/BINDInstallDlg.cpp
+++ b/bin/win32/BINDInstall/BINDInstallDlg.cpp
@@ -170,7 +170,6 @@ const FileData installFiles[] =
 	{"delv.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
 	{"arpaname.exe", FileData::BinDir, FileData::Normal, FALSE, TRUE},
 	{"nsec3hash.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
-	{"genrandom.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"rndc-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"ddns-confgen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
 	{"tsig-keygen.exe", FileData::BinDir, FileData::Normal, FALSE, FALSE},
diff --git a/lib/isc/win32/libisc.vcxproj.in b/lib/isc/win32/libisc.vcxproj.in
index 66f0c52f73..f016961cbe 100644
--- a/lib/isc/win32/libisc.vcxproj.in
+++ b/lib/isc/win32/libisc.vcxproj.in
@@ -225,7 +225,6 @@ copy ..\bin\pkcs11\pkcs11-destroy.html ..\Build\Release
 copy ..\bin\pkcs11\pkcs11-tokens.html ..\Build\Release
 @END PKCS11
 copy ..\bin\tools\arpaname.html ..\Build\Release
-copy ..\bin\tools\genrandom.html ..\Build\Release
 copy ..\bin\tools\named-journalprint.html ..\Build\Release
 copy ..\bin\tools\named-rrchecker.html ..\Build\Release
 copy ..\bin\tools\nsec3hash.html ..\Build\Release
diff --git a/util/copyrights b/util/copyrights
index fb7014e76c..ad1670c7fd 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2449,10 +2449,6 @@
 ./bin/tools/dnstap-read.c			C	2015,2016,2017,2018
 ./bin/tools/dnstap-read.docbook			SGML	2015,2016,2017,2018
 ./bin/tools/dnstap-read.html			HTML	DOCBOOK
-./bin/tools/genrandom.8				MAN	DOCBOOK
-./bin/tools/genrandom.c				C	2000,2001,2002,2003,2004,2005,2007,2009,2010,2012,2014,2016,2018
-./bin/tools/genrandom.docbook			SGML	2009,2010,2011,2014,2015,2016,2018
-./bin/tools/genrandom.html			HTML	DOCBOOK
 ./bin/tools/mdig.1				MAN	DOCBOOK
 ./bin/tools/mdig.c				C	2015,2016,2017,2018
 ./bin/tools/mdig.docbook			SGML	2015,2016,2017,2018
@@ -2476,9 +2472,6 @@
 ./bin/tools/win32/arpaname.vcxproj.filters.in	X	2013,2015,2018
 ./bin/tools/win32/arpaname.vcxproj.in		X	2013,2015,2016,2017,2018
 ./bin/tools/win32/arpaname.vcxproj.user		X	2013,2018
-./bin/tools/win32/genrandom.vcxproj.filters.in	X	2013,2015,2018
-./bin/tools/win32/genrandom.vcxproj.in		X	2013,2015,2016,2017,2018
-./bin/tools/win32/genrandom.vcxproj.user	X	2013,2018
 ./bin/tools/win32/journalprint.vcxproj.filters.in	X	2013,2015,2018
 ./bin/tools/win32/journalprint.vcxproj.in	X	2013,2015,2016,2017,2018
 ./bin/tools/win32/journalprint.vcxproj.user	X	2013,2018
@@ -2768,7 +2761,6 @@
 ./doc/arm/man.dnssec-signzone.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./doc/arm/man.dnssec-verify.html		X	2012,2013,2014,2015,2016,2017,2018
 ./doc/arm/man.dnstap-read.html			X	2015,2016,2017,2018
-./doc/arm/man.genrandom.html			X	2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./doc/arm/man.host.html				X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
 ./doc/arm/man.mdig.html				X	2016,2017,2018
 ./doc/arm/man.named-checkconf.html		X	2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
diff --git a/win32utils/Configure b/win32utils/Configure
index 78cc666706..88e80e1b0b 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -106,8 +106,6 @@ my @projectlist = ("..\\bin\\check\\win32\\checkconf.vcxproj",
                    "..\\bin\\rndc\\win32\\rndcutil.vcxproj.filters",
                    "..\\bin\\tools\\win32\\arpaname.vcxproj",
                    "..\\bin\\tools\\win32\\arpaname.vcxproj.filters",
-                   "..\\bin\\tools\\win32\\genrandom.vcxproj",
-                   "..\\bin\\tools\\win32\\genrandom.vcxproj.filters",
                    "..\\bin\\tools\\win32\\journalprint.vcxproj",
                    "..\\bin\\tools\\win32\\journalprint.vcxproj.filters",
                    "..\\bin\\tools\\win32\\mdig.vcxproj",
@@ -3114,7 +3112,6 @@ sub makeinstallfile {
     print LOUT "delv.exe-BNFT\n";
     print LOUT "arpaname.exe-BNFT\n";
     print LOUT "nsec3hash.exe-BNFF\n";
-    print LOUT "genrandom.exe-BNFF\n";
     print LOUT "rndc-confgen.exe-BNFF\n";
     print LOUT "ddns-confgen.exe-BNFF\n";
     print LOUT "tsig-keygen.exe-BNFF\n";
diff --git a/win32utils/bind9.sln.in b/win32utils/bind9.sln.in
index c0f5693906..b32aebb855 100644
--- a/win32utils/bind9.sln.in
+++ b/win32utils/bind9.sln.in
@@ -372,12 +372,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "nsec3hash", "..\bin\tools\w
 		{5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A} = {5FEBFD4E-CCB0-48B9-B733-E15EEB85C16A}
 	EndProjectSection
 EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "genrandom", "..\bin\tools\win32\genrandom.vcxproj", "{B4AC7F81-E3DC-43E9-B339-4FA5149FA8F7}"
-	ProjectSection(ProjectDependencies) = postProject
-		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}
-		{3840E563-D180-4761-AA9C-E6155F02EAFF} = {3840E563-D180-4761-AA9C-E6155F02EAFF}
-	EndProjectSection
-EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "rrchecker", "..\bin\tools\win32\rrchecker.vcxproj", "{98743A7C-6AF8-467F-9911-FA69C451AF2B}"
 	ProjectSection(ProjectDependencies) = postProject
 		{A3F71D12-F38A-4C77-8D87-8E8854CA74A1} = {A3F71D12-F38A-4C77-8D87-8E8854CA74A1}