diff --git a/config/modules/nixos/dyndns.nix b/config/modules/nixos/dyndns.nix
index f0f79f6c..257d3c6b 100644
--- a/config/modules/nixos/dyndns.nix
+++ b/config/modules/nixos/dyndns.nix
@@ -7,7 +7,7 @@ with lib;
     network.dns.dynamic = mkEnableOption "Enable Glauca Dynamic DNS Updater";
   };
 
-  config = mkIf (config.network.dns.dynamic) {
+  config = mkIf (false) {
     kw.secrets = [
       "hexdns-key"
       "hexdns-secret"
diff --git a/config/services/knot/knot.yaml b/config/services/knot/knot.yaml
index 7e985844..44305ce7 100644
--- a/config/services/knot/knot.yaml
+++ b/config/services/knot/knot.yaml
@@ -6,14 +6,14 @@ remote:
   - id: benjojo
     address: 185.230.223.84
     address: 2a0c:2f07:4896:666:216:3eff:fedb:c742
+    address: 185.236.240.26
+    address: 185.230.223.7
 
 acl:
-  - id: update_acl
-    key: dnsupdate
-    address: 0.0.0.0/0
-    address: ::/0
+  - id: dnsupdate
+    key: dnsupdate.kittywit.ch.
     action: update
-  - id: benjojo_acl
+  - id: benjojo
     remote: benjojo
     action: transfer
 
@@ -24,7 +24,8 @@ zone:
     file: kittywit.ch.zone
     dnssec-signing: on
     notify: benjojo
-    acl: [ benjojo_acl, update_acl ]
+    zonefile-load: difference
+    acl: [ benjojo, dnsupdate ]
 
 log:
   - target: syslog
diff --git a/config/services/nginx/default.nix b/config/services/nginx/default.nix
index 64c50c8b..8305bad4 100644
--- a/config/services/nginx/default.nix
+++ b/config/services/nginx/default.nix
@@ -5,10 +5,10 @@ with lib;
 {
   secrets.files.dns_creds = {
     text = ''
-      RFC2136_NAMESERVER='ns1.as207960.net'
+      RFC2136_NAMESERVER='${tf.variables.katdns-addr.ref}'
       RFC2136_TSIG_ALGORITHM='hmac-sha512.'
-      RFC2136_TSIG_KEY='${tf.variables.rfc2136-key.ref}'
-      RFC2136_TSIG_SECRET='${tf.variables.rfc2136-secret.ref}'
+      RFC2136_TSIG_KEY='${tf.variables.katdns-name.ref}'
+      RFC2136_TSIG_SECRET='${tf.variables.katdns-key.ref}'
     '';
   };
 
diff --git a/config/targets/common/default.nix b/config/targets/common/default.nix
index d19041b8..d72c7031 100644
--- a/config/targets/common/default.nix
+++ b/config/targets/common/default.nix
@@ -12,10 +12,12 @@
     externalSecret = true;
   };
 
+  variables.katdns-addr = {
+    externalSecret = true;
+  };
   variables.katdns-name = {
     externalSecret = true;
   };
-
   variables.katdns-key = {
     externalSecret = true;
   };
@@ -23,8 +25,8 @@
   providers.katdns = {
     type = "dns";
     inputs.update = {
-      server = "ns1.kittywit.ch";
-      key_name = "kittywit.ch.";
+      server = config.variables.katdns-addr.ref;
+      key_name = config.variables.katdns-name.ref;
       key_secret = config.variables.katdns-key.ref;
       key_algorithm = "hmac-sha512";
     };