diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c
index 38405165e8..91cf387f5b 100644
--- a/lib/dns/rrl.c
+++ b/lib/dns/rrl.c
@@ -22,6 +22,7 @@
 #include <inttypes.h>
 #include <stdbool.h>
 
+#include <isc/hash.h>
 #include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/net.h>
@@ -372,14 +373,12 @@ key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) {
 
 static uint32_t
 hash_key(const dns_rrl_key_t *key) {
-	uint32_t hval;
-	int i;
-
-	hval = key->w[0];
-	for (i = sizeof(key->w) / sizeof(key->w[0]) - 1; i >= 0; --i) {
-		hval = key->w[i] + (hval << 1);
-	}
-	return hval;
+	/*
+	 * The key includes attacker-controlled bits (client /24, qname
+	 * hash, qtype). Use the keyed, per-process-randomised hash so
+	 * collisions cannot be engineered to overload one bucket chain.
+	 */
+	return isc_hash32(key, sizeof(*key), true);
 }
 
 /*