diff --git a/config/profiles/base/network.nix b/config/profiles/base/network.nix
index 8ef92756..01042c05 100644
--- a/config/profiles/base/network.nix
+++ b/config/profiles/base/network.nix
@@ -6,7 +6,7 @@
     nftables.enable = true;
     dns = {
       enable = true;
-      email = "kat@kittywit.ch";
+      email = "acme@kittywit.ch";
       tld = "kittywit.ch.";
     };
   };
diff --git a/config/services/knot/default.nix b/config/services/knot/default.nix
index bbed73ca..ee8669e5 100644
--- a/config/services/knot/default.nix
+++ b/config/services/knot/default.nix
@@ -1,4 +1,4 @@
-{ config, tf, pkgs, ... }:
+{ config, lib, tf, pkgs, ... }:
 
 {
   kw.secrets = [ "knot-dnsupdate" ];
@@ -14,9 +14,9 @@
     group = "knot";
   };
 
-  /*  environment.etc."katdns/zones/kittywit.ch.zone".text = let
+/*  environment.etc."katdns/zones/kittywit.ch.zone".text = let
     dns = pkgs.dns;
-    in dns.lib.toString "kittywit.ch." (import ./kittywit.ch.nix {inherit dns; }); */
+    in dns.lib.toString "kittywit.ch" (import ./kittywit.ch.nix { inherit dns lib; }); */
 
   services.knot = {
     enable = true;
diff --git a/config/services/knot/kittywit.ch.nix b/config/services/knot/kittywit.ch.nix
index 633d1857..65d1c870 100644
--- a/config/services/knot/kittywit.ch.nix
+++ b/config/services/knot/kittywit.ch.nix
@@ -1,4 +1,4 @@
-{ dns }:
+{ dns, lib }:
 
 with dns.lib.combinators;
 
@@ -6,11 +6,15 @@ with dns.lib.combinators;
   SOA = {
     nameServer = "ns1";
     adminEmail = "kat@kittywit.ch";
-    serial = 0;
+    serial = 2021083001;
+    ttl = 3600;
   };
 
+  CAA = map (x: x // { ttl = 3600; }) (letsEncrypt "acme@kittywit.ch");
+
   NS = [
     "ns1.kittywit.ch."
-    "ns2.kittywit.ch."
+    "rdns1.benjojo.co.uk."
+    "rdns2.benjojo.co.uk."
   ];
 }
diff --git a/config/services/knot/knot.yaml b/config/services/knot/knot.yaml
index 51037de9..7e985844 100644
--- a/config/services/knot/knot.yaml
+++ b/config/services/knot/knot.yaml
@@ -2,20 +2,29 @@ server:
     listen: 0.0.0.0@53
     listen: ::@53
 
+remote:
+  - id: benjojo
+    address: 185.230.223.84
+    address: 2a0c:2f07:4896:666:216:3eff:fedb:c742
+
 acl:
   - id: update_acl
     key: dnsupdate
     address: 0.0.0.0/0
     address: ::/0
     action: update
+  - id: benjojo_acl
+    remote: benjojo
+    action: transfer
 
 zone:
   - domain: kittywit.ch
     semantic-checks: on
-    storage: /etc/katdns/zones/
+    storage: /var/lib/knot/zones/
     file: kittywit.ch.zone
     dnssec-signing: on
-    acl: update_acl
+    notify: benjojo
+    acl: [ benjojo_acl, update_acl ]
 
 log:
   - target: syslog
diff --git a/config/targets/common/default.nix b/config/targets/common/default.nix
index c5e6ebc4..d19041b8 100644
--- a/config/targets/common/default.nix
+++ b/config/targets/common/default.nix
@@ -12,7 +12,25 @@
     externalSecret = true;
   };
 
-  dns.zones."kittywit.ch." = { provider = "dns"; };
+  variables.katdns-name = {
+    externalSecret = true;
+  };
+
+  variables.katdns-key = {
+    externalSecret = true;
+  };
+
+  providers.katdns = {
+    type = "dns";
+    inputs.update = {
+      server = "ns1.kittywit.ch";
+      key_name = "kittywit.ch.";
+      key_secret = config.variables.katdns-key.ref;
+      key_algorithm = "hmac-sha512";
+    };
+  };
+
+  dns.zones."kittywit.ch." = { provider = "dns.katdns"; };
 
   providers.dns = {
     inputs.update = {
diff --git a/overlays/dns/default.nix b/overlays/dns/default.nix
index 5498cc53..e8680600 100644
--- a/overlays/dns/default.nix
+++ b/overlays/dns/default.nix
@@ -1,3 +1,3 @@
 { sources, ... }: final: prev: {
-  dns = import (sources.kirelagin + "/dns") { pkgs = final; };
+  dns = import sources.nix-dns;
 }