diff --git a/howto/dns.md b/howto/dns.md
index 4a4de0d4f65512ca3b99bd3cdf52ef1dc4a356c0..ecc90dc495097244cdd8232062f1b6bb24ca521f 100644
--- a/howto/dns.md
+++ b/howto/dns.md
@@ -226,10 +226,38 @@ If it's not delegated, it's because you forgot step 8 in the zone
 addition procedure. Ask your upstream or registrar to delegate the
 zone and run the checks again.
 
-# Design
+
+# Discussion
+
+## Design
 
 This needs to be documented better. weasel made a [blog post](https://dsa.debian.org/dsablog/2014/The_Debian_DNS_universe/)
 describing parts of the infrastructure on Debian.org, and that is
 partly relevant to TPO as well.
 
 TODO: adapt this document to the [service template](template).
+
+## Automation
+
+Debian has a [set of scripts](https://salsa.debian.org/dsa-team/mirror/dsa-misc/-/tree/master/scripts/dns-providers) to automate talking to some providers
+like Netnod. A YAML file has metadata about the configuration, and
+pushing changes is as simple as:
+
+    publish tor-dnsnode.yaml
+
+That config file would look something like:
+
+    ---
+      endpoint: https://dnsnodeapi.netnod.se/apiv3/
+      base_zone:
+        endcustomer: "TorProject"
+        masters:
+          # nevii.torproject.org
+          - ip: "49.12.57.130"
+            tsig: "netnod-torproject-20180831."
+          - ip: "2a01:4f8:fff0:4f:266:37ff:fee9:5df8"
+            tsig: "netnod-torproject-20180831."
+        product: "probono-premium-anycast"
+
+This is not currently in use at TPO and changes are operated manually
+through the web interface.