diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 80154d21de..c7a99261e2 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -66,11 +66,6 @@ EXTERN unsigned int		ns_g_debuglevel		INIT(0);
  */
 EXTERN const char *		ns_g_conffile	INIT("/etc/named.conf");
 
-/*
- * Current TKEY context
- */
-EXTERN dns_tkey_ctx_t *		ns_g_tkeyctx		INIT(NULL);
-
 /*
  * Misc.
  */
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index c115b71b8b..961ad39855 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -54,6 +54,7 @@ struct ns_server {
 	isc_rwlock_t		viewlock;
 	ns_interfacemgr_t *	interfacemgr;
 	dns_db_t *		roothints;
+	dns_tkey_ctx_t *	tkeyctx;
 
 	isc_mutex_t		reload_event_lock;
 	isc_event_t *		reload_event;
diff --git a/bin/named/query.c b/bin/named/query.c
index 2f63be1efe..5f820a0c2d 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -2745,7 +2745,7 @@ ns_query_start(ns_client_t *client) {
 				return;
 			case dns_rdatatype_tkey:
 				result = dns_tkey_processquery(client->message,
-							       ns_g_tkeyctx,
+							       ns_g_server->tkeyctx,
 							       client->view->dynamickeys);
 				if (result == ISC_R_SUCCESS)
 					ns_client_send(client);
diff --git a/bin/named/server.c b/bin/named/server.c
index be5bcba4ee..7f1a64c294 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -562,12 +562,16 @@ load_configuration(const char *filename, ns_server_t *server) {
 	RWUNLOCK(&server->viewlock, isc_rwlocktype_write);
 
 	/*
-	 * Load the TKEY information from the configuration
+	 * Load the TKEY information from the configuration.
 	 */
-	if (ns_g_tkeyctx != NULL)
-		dns_tkeyctx_destroy(&ns_g_tkeyctx);
-	CHECKM(dns_tkeyctx_fromconfig(configctx, ns_g_mctx, &ns_g_tkeyctx),
-	       "setting up TKEY");
+	{
+		dns_tkey_ctx_t *t = NULL;
+		CHECKM(dns_tkeyctx_fromconfig(configctx, ns_g_mctx, &t),
+		       "configuring TKEY");
+		if (server->tkeyctx != NULL)
+			dns_tkeyctx_destroy(&server->tkeyctx);
+		server->tkeyctx = t;
+	}
 	/*
 	 * Rescan the interface list to pick up changes in the
 	 * listen-on option.
@@ -668,7 +672,6 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 
 	RWUNLOCK(&server->viewlock, isc_rwlocktype_write);
 
-	dns_tkeyctx_destroy(&ns_g_tkeyctx);
 
 	ns_clientmgr_destroy(&server->clientmgr);
 	ns_interfacemgr_shutdown(server->interfacemgr);
@@ -730,7 +733,11 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	CHECKFATAL(server->reload_event == NULL ?
 		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "allocating reload event");
-	
+
+	server->tkeyctx = NULL;
+	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, &server->tkeyctx),
+		   "creating TKEY context");
+
 	/*
 	 * Setup the server task, which is responsible for coordinating
 	 * startup and shutdown of the server.
@@ -755,6 +762,9 @@ ns_server_destroy(ns_server_t **serverp) {
 	ns_server_t *server = *serverp;
 	REQUIRE(NS_SERVER_VALID(server));
 
+	if (server->tkeyctx != NULL)
+		dns_tkeyctx_destroy(&server->tkeyctx);
+
 	isc_event_free(&server->reload_event);
 	
 	INSIST(ISC_LIST_EMPTY(server->viewlist));