diff --git a/modules/bind9/default.nix b/modules/bind9/default.nix
index 68d4025..bd23a89 100644
--- a/modules/bind9/default.nix
+++ b/modules/bind9/default.nix
@@ -30,16 +30,20 @@ in {
               forwarders {  };
               directory "/run/named";
               pid-file "/run/named/named.pid";
-              allow-transfer { none; };
               allow-recursion { none; };
               version none;
               notify no;
             };
 
+            key "kun.is." {
+              algorithm hmac-sha512;
+              secret "ref+sops://secrets.yml#/bind/zoneTransferKeys/kunis+";
+            };
+
             zone "kun.is" {
               type master;
               file "/etc/bind/kun.is.zone";
-              allow-transfer {  };
+              allow-transfer { 192.168.20.91; };
               allow-query { any; };
             };
           '';
diff --git a/modules/bind9/kun.is.zone.nix b/modules/bind9/kun.is.zone.nix
index 815bc1c..f9562a5 100644
--- a/modules/bind9/kun.is.zone.nix
+++ b/modules/bind9/kun.is.zone.nix
@@ -1,11 +1,13 @@
 globals: dns:
 with dns.lib.combinators; {
+  TTL = 300;
+
   CAA = letsEncrypt "caa@kun.is";
 
   SOA = {
     nameServer = "ns1";
     adminEmail = "webmaster.kun.is";
-    serial = 2024041302;
+    serial = 2025070600;
   };
 
   NS = [
diff --git a/secrets.yml b/secrets.yml
index 764c9a4..3139441 100644
--- a/secrets.yml
+++ b/secrets.yml
@@ -55,11 +55,10 @@ authentik:
 smtp2go:
     username: ENC[AES256_GCM,data:BEr7Rq7rlGvfYEpY/ZXnhM2eClnHdqU81A==,iv:dwYD5h+C5bzS9ikUgxQ51+jRQ32TtDy2PhDbd1tpS8Q=,tag:CjjLDz5n4H28qi8jWf9S4w==,type:str]
     password: ENC[AES256_GCM,data:Yys6qy6DRYo16+X+Uj9oa9otjaKBnHOtIQ==,iv:G7H9mxsODShFoVlNMwuV8O18NBG/7LTFDFdqnH83YkE=,tag:hSlYp27QMoPZwiKBqyOpKA==,type:str]
+bind:
+    zoneTransferKeys:
+        kunis: ENC[AES256_GCM,data:OBCPQDko7075wipcaVRBX6UmtUaA3g7qHs103cWYH9G+WrOkCHppCm+DWk2s4wqo+4hEf2j9ie9O/rvank9tHfHtpfQTYmjVoQzgZHFM5urLeQOqh4PLwg==,iv:9yBvjB1NBPH5aZCzUglm2GcmlMxUMCb6wMXL74gfd18=,tag:QeErY8EDlBCitfFe48sidA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age189laethzry4ylnd790dmpuc4xjjuwqxruc76caj3ceqhqug4g9qs0upuvw
           enc: |
@@ -79,8 +78,7 @@ sops:
             azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
             UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-26T20:32:01Z"
-    mac: ENC[AES256_GCM,data:si28Fu1crF2mYYCJAgN95+G8iJkn4T9wF0Itpi+5cjoSZ2ebxm2wWnVLQ9PwLIkHVF7nNbQM4fWy3eGIWWpexW6ReEc/aGJBLM0L4ho7iFaO1tzWEa5nTyz3QQH8kap1xvqEYgwH9EDkblc4gFpCUDnYbBt9lNcRCZ3JzeYoPxQ=,iv:QHsvuyCCn+9oe5ZQJi2/qDtV7Z2N4JMfqXUEqJkzKH4=,tag:2NGB4VR5bPEZmIC/lYX2VQ==,type:str]
-    pgp: []
+    lastmodified: "2025-07-06T15:01:44Z"
+    mac: ENC[AES256_GCM,data:RqNGiO/TltGMMfhV2MsEH7uaJ+Cj2Ay6bDBBgV8Drs9pLSSqNZl6yr45Ze5lALU/ieV0ssfuPBBe7A5QnWpBUTcAoY0FX7XbOuRwR0BVR7+c4AgLrKybovvKR7Fm7gOZGZ3bwtvoYpn5mQhIODXYehvXihdiOxshAj5oWCPlp9w=,iv:J73EBrJVO121Gfia3xnfrr3Gyennp3+cnuh8rSrcJZM=,tag:nd/xWyT1/wSVo529GuS12g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2