diff --git a/applications/dns.nix b/applications/dns.nix
index 529755e..0eba340 100644
--- a/applications/dns.nix
+++ b/applications/dns.nix
@@ -59,6 +59,7 @@ in {
     };
   };
 
+  age.secrets.dns_dnskeys.file = ../secrets/dns_dnskeys.conf.age;
 
   config = lib.mkIf cfg.enable {
     services.bind = {
@@ -66,11 +67,10 @@ in {
 
         ipv4Only = true;
 
-        #forwarders = [
-          # these were in old config file
-          #"193.1.100.130"
-          #"193.1.100.131"
-        #];
+        # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
+        extraConfig = ''
+          include "/run/agenix/dns_dnskeys";
+        '';
 
         zones = {
           /*
@@ -88,7 +88,7 @@ in {
           */
 
           "skynet.ie" = {
-            extraConfig = "";
+            extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
             # really wish teh nixos config didnt use master/slave
             master = true;
             slaves = [ ];