diff --git a/howto/dns.md b/howto/dns.md
index a153a6b26aa944893bf89961d89591a3d132b088..39ee545430cdaf76b7f17df54f9cc2988dbfb484 100644
--- a/howto/dns.md
+++ b/howto/dns.md
@@ -607,3 +607,54 @@ There's been some critiques of DNSSEC over the years, here's a talk I
 found about it recently:
 
  * [Geoff Huston - DNSSEC: Yes or No](https://ripe86.ripe.net/archives/video/1018/) at [RIPE 86](https://ripe86.ripe.net/) (May 2023), [slides](https://ripe86.ripe.net/presentations/51-2023-05-23-dnssec.pdf)
+
+### automatic DNSSEC management with bind
+
+Right now, the Nagios check (!) is responsible for key rotation and
+all that stuff. We could move this in bind directly. Here's how weasel
+is currently experimenting with it:
+
+```
+ inline-signing yes;
+
+ };
++  dnssec-policy "dnssec-policy-mustelid.at" {
++    keys {
++      // ksk key-directory lifetime P2Y algorithm rsasha256 2048;
++      // zsk key-directory lifetime P4M algorithm rsasha256 2048;
++      ksk key-directory lifetime P4M algorithm rsasha256 2048;
++      zsk key-directory lifetime P50D algorithm rsasha256 1536;
++    };
++
++    dnskey-ttl P1D;
++    max-zone-ttl P1W;
++    nsec3param;
++
++    publish-safety P15D;
++    purge-keys P90D;
++    retire-safety P15D;
++
++    zone-propagation-delay PT8H;
++
++    signatures-refresh P25D;
++    signatures-validity P40D;
++    signatures-validity-dnskey P40D;
++  };
++
+ zone "mustelid.at" {
+         type master;
+         file "/srv/dns.noreply.org/var/generated/mustelid.at";
+@@ -506,12 +542,12 @@
+  2a04:dd00:21:3::2   ; // ns2.sthu.org/plato.sthu.org
+
+         };
+-        key-directory "/srv/dns.noreply.org/var/keys/mustelid.at";
+-sig-validity-interval 40 25;
+-auto-dnssec maintain;
+-inline-signing yes;
++          key-directory "/srv/dns.noreply.org/var/keys/mustelid.at";
++  dnssec-policy "dnssec-policy-mustelid.at";
++  inline-signing yes;
+  
+ };
+ ```