diff --git a/applications/dns/dns.nix b/applications/dns/dns.nix
index 82bec0e..a2725f3 100644
--- a/applications/dns/dns.nix
+++ b/applications/dns/dns.nix
@@ -11,6 +11,22 @@
   # reads that date to a string (will need to be fixed in 2038)
   current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
 
+  # this gets a list of all domains we have records for
+  domains = lib.lists.naturalSort (
+    lib.lists.unique (
+      lib.lists.forEach records (record: record.domain)
+    )
+  );
+
+  domains_owned = [
+    # for historic reasons we own this
+    "csn.ul.ie"
+    # the main one we use now
+    "skynet.ie"
+    # a backup
+    "ulcompsoc.ie"
+  ];
+
   # gets a list of records that match this type
   filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records;
   filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A");
@@ -205,10 +221,19 @@
     then create_entry_etc_sub domain (text.old domain)
     else {};
 
-  create_entry_zone = domain: extraConfig: {
+  create_entry_zone = domain: let
+    if_primary_and_owned =
+      if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned)
+      then ''
+        allow-update { key rfc2136key.skynet.ie.; };
+        dnssec-policy default;
+        inline-signing yes;
+      ''
+      else "";
+  in {
     "${domain}" = {
       extraConfig = ''
-        ${extraConfig}
+        ${if_primary_and_owned}
         // for bumping the config
         // ${current_date}
       '';
@@ -229,23 +254,6 @@
     old = domain: get_config_file_old_domains domain;
   };
 
-  extraConfig = {
-    owned =
-      if cfg.server.primary
-      then ''
-        allow-update { key rfc2136key.skynet.ie.; };
-
-        dnssec-policy default;
-        inline-signing yes;
-      ''
-      else "";
-
-    # no extra config for reverse
-    reverse = "";
-
-    old = "";
-  };
-
   records =
     config.skynet.records
     ++ builtins.concatLists (
@@ -344,12 +352,12 @@ in {
     ];
 
     services.bind.zones =
-      (create_entry_zone "csn.ul.ie" extraConfig.owned)
-      // (create_entry_zone "skynet.ie" extraConfig.owned)
-      // (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
-      // (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
-      // (create_entry_zone "conradcollins.net" extraConfig.old)
-      // (create_entry_zone "edelharty.net" extraConfig.old);
+      (create_entry_zone "csn.ul.ie")
+      // (create_entry_zone "skynet.ie")
+      // (create_entry_zone "ulcompsoc.ie")
+      // (create_entry_zone "64-64.99.1.193.in-addr.arpa")
+      // (create_entry_zone "conradcollins.net")
+      // (create_entry_zone "edelharty.net");
 
     environment.etc =
       (create_entry_etc "csn.ul.ie" "owned")