diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index f965c16796..91388ce6ed 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -615,6 +615,13 @@ grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'"
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "check obsolete options generate warnings ($n)"
+ret=0
+$CHECKCONF warn-random-device.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'random-device' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
 rmdir keys
 
 echo_i "exit status: $status"
diff --git a/bin/tests/system/checkconf/warn-random-device.conf b/bin/tests/system/checkconf/warn-random-device.conf
new file mode 100644
index 0000000000..bc1451d8d9
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-random-device.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+        random-device "/dev/urandom";
+};
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index ef6c1c7659..651c39d058 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -1647,31 +1647,6 @@ default is used.
    classify outgoing DNS traffic, on operating systems that support DSCP.
    Valid values are 0 through 63. It is not configured by default.
 
-.. namedconf:statement:: random-device
-   :tags: server, security
-   :short: Specifies a source of entropy to be used by the server.
-
-   This specifies a source of entropy to be used by the server; it is a
-   device or file from which to read entropy. If it is a file,
-   operations requiring entropy will fail when the file has been
-   exhausted.
-
-   Entropy is needed for cryptographic operations such as TKEY
-   transactions, dynamic update of signed zones, and generation of TSIG
-   session keys. It is also used for seeding and stirring the
-   pseudo-random number generator which is used for less critical
-   functions requiring randomness, such as generation of DNS message
-   transaction IDs.
-
-   If :any:`random-device` is not specified, or if it is set to ``none``,
-   entropy is read from the random number generation function
-   supplied by the cryptographic library with which BIND was linked
-   (i.e. OpenSSL or a PKCS#11 provider).
-
-   The :any:`random-device` option takes effect during the initial
-   configuration load at server startup time and is ignored on
-   subsequent reloads.
-
 .. namedconf:statement:: preferred-glue
    :tags: query
    :short: Controls the order of glue records in an A or AAAA response.
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index cd492e395e..8f7f599918 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -283,7 +283,7 @@ options {
 	query\-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	query\-source\-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	querylog <boolean>;
-	random\-device ( <quoted_string> | none );
+	random\-device ( <quoted_string> | none ); // obsolete
 	rate\-limit {
 		all\-per\-second <integer>;
 		errors\-per\-second <integer>;
diff --git a/doc/misc/options b/doc/misc/options
index 204c0a4a48..f5ed9c1c4d 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -226,7 +226,7 @@ options {
 	query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ];
 	querylog <boolean>;
-	random-device ( <quoted_string> | none );
+	random-device ( <quoted_string> | none ); // obsolete
 	rate-limit {
 		all-per-second <integer>;
 		errors-per-second <integer>;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 1758b88d0e..c2ed8d6488 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1304,7 +1304,7 @@ static cfg_clausedef_t options_clauses[] = {
 	{ "https-port", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
 	{ "querylog", &cfg_type_boolean, 0 },
-	{ "random-device", &cfg_type_qstringornone, 0 },
+	{ "random-device", &cfg_type_qstringornone, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "recursing-file", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reuseport", &cfg_type_boolean, 0 },