diff --git a/tasks/main.yml b/tasks/main.yml
index 0d0f7cc..b028ca0 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -65,7 +65,9 @@
   tags: bind
 
 - name: dnssec sign
-  shell: 'cd /etc/bind/keys && dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}'
+  shell: 'dnssec-signzone -3 $(head -n 1000 /dev/urandom | sha1sum | cut -b 1-16) -A -N INCREMENT -o {{ item.item.key }} -t /etc/bind/zones/db.{{ item.item.key }}'
+  args:
+    chdir: /etc/bind/keys
   with_items: '{{ zone.results }}'
   when: item.changed and item.item.value.dnssec is defined and item.item.value.dnssec
   notify: reload bind