diff --git a/CHANGES b/CHANGES
index eba827d062..1049556a05 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
-4395	[bug]		Improve out-of-tree installation of python modules.
+4396.	[func]		dnssec-keymgr now takes a '-r randomfile' option.
+			[RT #42455]
+
+4395.	[bug]		Improve out-of-tree installation of python modules.
 			[RT #42586]
 
 4394.	[func]		Add rndc command "dnstap-reopen" to close and
diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook
index 29c0a598a9..1bf4c6d700 100644
--- a/bin/python/dnssec-keymgr.docbook
+++ b/bin/python/dnssec-keymgr.docbook
@@ -14,10 +14,9 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- Converted by db4-upgrade version 1.0 -->
 <refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
   <info>
-    <date>2016-04-03</date>
+    <date>2016-06-03</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -53,6 +52,7 @@
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-z</option></arg>
       <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">path</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">path</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">path</replaceable></option></arg>
       <arg choice="opt" rep="repeat">zone</arg>
     </cmdsynopsis>
@@ -191,6 +191,18 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+        <listitem>
+          <para>
+            Specifies a path to a file containing random data.
+            This is passed to the <command>dnssec-keygen</command> binary
+            using its <option>-r</option> option.
+<!-- TODO: what to do about "-r keyboard"? -->
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-s <replaceable class="parameter">settime-path</replaceable></term>
         <listitem>
diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in
index 36825118e2..a87de63c41 100644
--- a/bin/python/isc/dnskey.py.in
+++ b/bin/python/isc/dnskey.py.in
@@ -170,12 +170,15 @@ class dnskey:
                 self._changed[prop] = False
 
     @classmethod
-    def generate(cls, keygen_bin, keys_dir, name, alg, keysize, sep,
+    def generate(cls, keygen_bin, randomdev, keys_dir, name, alg, keysize, sep,
                  ttl, publish=None, activate=None, **kwargs):
         quiet = kwargs.get('quiet', False)
 
         keygen_cmd = [keygen_bin, "-q", "-K", keys_dir, "-L", str(ttl)]
 
+        if randomdev:
+            keygen_cmd += ["-r", randomdev]
+
         if sep:
             keygen_cmd.append("-fk")
 
@@ -210,7 +213,7 @@ class dnskey:
         except Exception as e:
             raise Exception('unable to parse generated key: %s' % str(e))
 
-    def generate_successor(self, keygen_bin, **kwargs):
+    def generate_successor(self, keygen_bin, randomdev, **kwargs):
         quiet = kwargs.get('quiet', False)
 
         if not self.inactive():
@@ -221,6 +224,9 @@ class dnskey:
         if self.ttl:
             keygen_cmd += ["-L", str(self.ttl)]
 
+        if randomdev:
+            keygen_cmd += ["-r", randomdev]
+
         if not quiet:
             print('# ' + ' '.join(keygen_cmd))
 
diff --git a/bin/python/isc/keymgr.py.in b/bin/python/isc/keymgr.py.in
index e3e9ad3bdd..920504a440 100644
--- a/bin/python/isc/keymgr.py.in
+++ b/bin/python/isc/keymgr.py.in
@@ -80,6 +80,9 @@ def parse_args():
     parser.add_argument('-g', dest='keygen', default=keygen, type=str,
                         help='Path to \'dnssec-keygen\'',
                         metavar='path')
+    parser.add_argument('-r', dest='randomdev', type=str, default=None,
+                        help='Path to a file containing random data to pass to \'dnssec-keygen\'',
+                        metavar='path')
     parser.add_argument('-s', dest='settime', default=settime, type=str,
                         help='Path to \'dnssec-settime\'',
                         metavar='path')
@@ -130,7 +133,8 @@ def main():
     # into a context object that can be passed around
     context = {'keygen_path': args.keygen,
                'settime_path': args.settime,
-               'keys_path': args.path}
+               'keys_path': args.path,
+               'randomdev': args.randomdev}
 
     try:
         dp = policy.dnssec_policy(args.policyfile)
diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
index 3120d0226d..613b9e2903 100644
--- a/bin/python/isc/keyseries.py.in
+++ b/bin/python/isc/keyseries.py.in
@@ -131,6 +131,7 @@ class keyseries:
             # generated if Inactive has been set in the predecessor key
             prev.commit(self._context['settime_path'], **kwargs)
             key = prev.generate_successor(self._context['keygen_path'],
+                                          self._context['randomdev'],
                                           **kwargs)
 
             key.setinactive(key.activate() + rp, **kwargs)
@@ -166,6 +167,7 @@ class keyseries:
             if 'ksk' not in kwargs or not kwargs['ksk']:
                 if len(self._Z[zone][algnum]) == 0:
                     k = dnskey.generate(self._context['keygen_path'],
+                                        self._context['randomdev'],
                                         keys_dir, zone, alg,
                                         policy.zsk_keysize, False,
                                         policy.keyttl or 3600,
@@ -176,6 +178,7 @@ class keyseries:
             if 'zsk' not in kwargs or not kwargs['zsk']:
                 if len(self._K[zone][algnum]) == 0:
                     k = dnskey.generate(self._context['keygen_path'],
+                                        self._context['randomdev'],
                                         keys_dir, zone, alg,
                                         policy.ksk_keysize, True,
                                         policy.keyttl or 3600,
diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
index a34bb46e20..dd5849d12f 100644
--- a/bin/tests/system/keymgr/tests.sh
+++ b/bin/tests/system/keymgr/tests.sh
@@ -39,7 +39,7 @@ for dir in [0-9][0-9]-*; do
         . $dir/expect
 
         # run keymgr to update keys
-        $KEYMGR -K $dir -g $KEYGEN -s $SETTIME $kargs > keymgr.$n 2>&1
+        $KEYMGR -K $dir -g $KEYGEN -r $RANDFILE -s $SETTIME $kargs > keymgr.$n 2>&1
         # check that return code matches expectations
         found=$?
         if [ $found -ne $kret ]; then