But for my own home network I really think that the /dev/urandom will be sufficient.
There must be many more ways to troubleshoot any problems.
I had previously cleaned up the structure by rebuilding the _MSDCS zone at the top level and confirming all the SRV records exist (supported by DNS Lint and DCdiag verbose DNS tests).
Also set the zones to replicate across the forest and use secure updates and consolidated a bunch of reverse zones into a two-octet one (new one would be 99.172.as example).
But for me the dnssec-keygen would just halt without that parameter.
Please let me know if you know of a better solution.
When using the dnssec-keygen to generate the secret key I passed it the parameter “-r /dev/urandom”.
If that is the case I recommend you stop DHCP updating DNS entirely and allow the clients to do it themselves.
This is done by simply removing the DNS update options from DHCP.
If DHCP is updating universally you should drive for consistency, get the servers out of that proxy update group. The Aging settings dictate how quickly a record can be scavenged, but those should never be set to less than a day or you'll find records for your servers and domain controllers vanish.