diff --git a/manifests/profile/base/designate/worker.pp b/manifests/profile/base/designate/worker.pp
index aafcad2bd..a0835967d 100644
--- a/manifests/profile/base/designate/worker.pp
+++ b/manifests/profile/base/designate/worker.pp
@@ -23,11 +23,21 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*rndc_key*]
+#   (Optional) The base64-encoded key secret for /etc/rndc.key.
+#   Defaults to hiera('designate_rndc_key')
+#
 class tripleo::profile::base::designate::worker (
   $step = Integer(hiera('step')),
+  $rndc_key = hiera('designate_rndc_key'),
 ) {
   include ::tripleo::profile::base::designate
+
   if $step >= 4 {
+    file { 'designate rndc key':
+      path    => '/etc/rndc.key',
+      content => template('tripleo/designate/rndc.key.erb')
+    }
     include ::designate::worker
   }
 }
diff --git a/templates/designate/rndc.key.erb b/templates/designate/rndc.key.erb
new file mode 100644
index 000000000..ef6da7324
--- /dev/null
+++ b/templates/designate/rndc.key.erb
@@ -0,0 +1,4 @@
+key "rndc-key" {
+        algorithm hmac-sha256;
+        secret "<%= @rndc_key %>";
+};