diff --git a/.gitignore b/.gitignore
index 8fb98c6..281dc2c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .env
 .DS_Store
-moeny.ai
\ No newline at end of file
+moeny.ai
+history.txt
\ No newline at end of file
diff --git a/README.md b/README.md
index 3532e2b..98cb35b 100644
--- a/README.md
+++ b/README.md
@@ -19,4 +19,111 @@ sudo systemctl status bind9
 
 5. Check its syntax with `named-checkzone example.com /etc/bind/zones/example.com`.
 
-6. Restart bind9 with `sudo systemctl restart bind9`.
\ No newline at end of file
+6. Restart bind9 with `sudo systemctl restart bind9`.
+
+## Enable Dynamic DNS Updates with a TSIG key
+1. We will first need to generate a TSIG (Transaction Signature) key
+```bash
+sudo tsig-keygen -a HMAC-SHA256 key-name > /etc/bind/keys/tsig.key
+```
+
+This will create the key in `/etc/bind/keys/tsig.key`, assign it the name `key-name`, and generate a secret for it. The file will look something like this but with your name and secret:
+```
+key "key-name" {
+    algorithm hmac-sha256;
+    secret "NqG1yS23A0K2mCxl3zOaa+e1/UDr3J68u3w8Tg==";
+};
+```
+
+
+2. Create `/etc/bind/dnssec-policies.conf` with the following. Replace `moeny-policy` with your own name.
+```
+dnssec-policy "moeny-policy" {
+    keys {
+        ksk lifetime unlimited algorithm ecdsap256sha256;
+        zsk lifetime unlimited algorithm ecdsap256sha256;
+    };
+    max-zone-ttl 1d;
+    parent-ds-ttl 1d;
+    parent-propagation-delay 1h;
+    signatures-refresh 1d;
+    signatures-validity 30d;
+    signatures-validity-dnskey 30d;
+};
+```
+
+
+3. Add the following lines to your `/etc/bind/named.conf` to include the files we just created.
+```
+include "/etc/bind/keys/tsig.key";
+include "/etc/bind/dnssec-policies.conf";
+```
+
+You may also want to add logging:
+```
+logging {
+    channel update_debug {
+        file "/var/log/named/update_debug.log" versions 3 size 100m;
+        severity debug;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
+    category update { update_debug; };
+    category security { update_debug; };
+    category database { update_debug; };
+};
+```
+
+
+4. Add the following lines to your `/etc/bind/named.conf.local` under the zone definition. Be sure to replace `key-name` and `moeny-policy` with your own names from `tsig.key` and `dnssec-policies.conf`.
+```
+allow-update { key "key-name"; };
+dnssec-policy "moeny-policy";
+inline-signing yes;
+```
+
+
+5. If your DNS server has Apparmor, it may prevent the named service from writing journal files in `/etc/bind/zones` and performing other required tasks. To prevent this issue add the content of [`usr.sbin.named`](apparmor-config/usr.sbin.named) in `/etc/apparmor.d/local/usr.sbin.named`. Also, ensure that the `bind` user has permissions to read and write to `/etc/bind/zones` to begin with.
+
+
+6. Restart `named` and `bind9`.
+```
+sudo systemctl restart named
+sudo systemctl status named
+sudo systemctl restart bind9
+sudo systemctl status bind9
+```
+
+
+7. You should now be ready to test the TSIG key on your DNS server, using the `nsupdate` command.
+```bash
+nsupdate -k /etc/bind/keys/tsig.key -d
+> server 127.0.0.1
+> debug yes
+> zone moeny.ai
+> update add test.moeny.ai 300 A 192.168.1.200
+> send
+> quit
+```
+
+This will add a record for `test.moeny.ai` which you can then check for with `dig @127.0.0.1 test.moeny.ai`. When ready to remove the record, run `nsupdate` again but issue a delete.
+```bash
+nsupdate -k /etc/bind/keys/tsig.key -d
+> server 127.0.0.1
+> debug yes
+> zone moeny.ai
+> update delete test.moeny.ai A
+> send
+> quit
+```
+
+From now on, you will want to use `nsupdate` or a similar utility to edit and interact with the zone file, rather than editing it directly. Also, note that you will now have a `.signed` zone file, as well as `.jnl` and potentially `.jbk` files in `/etc/bind/zones`. The journal files store pending dynamic updates before they are committed to the zone file.
+
+
+8. You may want to take a look at some info on [Journal Files](https://bind9.readthedocs.io/en/v9.16.24/advanced.html#the-journal-file).
+
+- `rndc freeze zone` stops dynamic updates and writes all changes from memory to disk.
+- `rndc thaw zone` re-enables dynamic updates and should be run after the freeze.
+- `rndc sync zone` forces an immediate sync of the in-memory zone to disk without freezing it.
+- `rndc sync -clean` is the same as `rndc sync`, but also removes journal files (*.jnl).
\ No newline at end of file
diff --git a/apparmor-config/usr.sbin.named b/apparmor-config/usr.sbin.named
new file mode 100644
index 0000000..d0dbae2
--- /dev/null
+++ b/apparmor-config/usr.sbin.named
@@ -0,0 +1,19 @@
+# /etc/apparmor.d/local/usr.sbin.named
+
+# Site-specific additions and overrides for usr.sbin.named.
+/etc/bind/zones/** rw,
+/etc/bind/zones/moeny.ai.signed* rw,
+/etc/bind/zones/*.jnl rw,
+/var/cache/bind/dynamic/** rw,
+/etc/bind/zones/tmp-* rw,
+
+# Allow zone file operations
+/etc/bind/zones/ rw,
+/etc/bind/zones/** rwk,
+/etc/bind/zones/moeny.ai* rwk,
+/etc/bind/zones/tmp-* rwk,
+/var/log/named/ rw,
+/var/log/named/** rwk,
+/var/log/named.log rwk,
+/var/cache/bind/** rwk,
+/var/cache/bind/dynamic/** rwk,
\ No newline at end of file
diff --git a/dnssec-policies.conf b/dnssec-policies.conf
new file mode 100644
index 0000000..a615041
--- /dev/null
+++ b/dnssec-policies.conf
@@ -0,0 +1,12 @@
+dnssec-policy "moeny-policy" {
+    keys {
+        ksk lifetime unlimited algorithm ecdsap256sha256;
+        zsk lifetime unlimited algorithm ecdsap256sha256;
+    };
+    max-zone-ttl 1d;
+    parent-ds-ttl 1d;
+    parent-propagation-delay 1h;
+    signatures-refresh 1d;
+    signatures-validity 30d;
+    signatures-validity-dnskey 30d;
+};
\ No newline at end of file
diff --git a/keys/tsig.key b/keys/tsig.key
new file mode 100644
index 0000000..9577b83
--- /dev/null
+++ b/keys/tsig.key
@@ -0,0 +1,5 @@
+# Sample TSIG key with placeholder secret - replace with a real TSIG key before use
+key "tsig-key" {
+    algorithm hmac-sha256;
+    secret "NqG1yS23A0K2mCxl3zOaa+e1/UDr3J68u3w8Tg==";
+};
\ No newline at end of file
diff --git a/named.conf b/named.conf
new file mode 100644
index 0000000..019e0fa
--- /dev/null
+++ b/named.conf
@@ -0,0 +1,26 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+include "/etc/bind/named.conf.default-zones";
+include "/etc/bind/keys/tsig.key";
+include "/etc/bind/dnssec-policies.conf";
+
+logging {
+    channel update_debug {
+        file "/var/log/named/update_debug.log" versions 3 size 100m;
+        severity debug;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
+    category update { update_debug; };
+    category security { update_debug; };
+    category database { update_debug; };
+};
\ No newline at end of file
diff --git a/named.conf.local b/named.conf.local
index bea9a84..83289eb 100644
--- a/named.conf.local
+++ b/named.conf.local
@@ -10,4 +10,8 @@
 zone "moeny.ai" IN {
         type master;
         file "/etc/bind/zones/moeny.ai";
+        // Uncomment the 3 lines below if using a tsig key
+        // allow-update { key "tsig-key"; };
+        // dnssec-policy "moeny-policy";
+        // inline-signing yes;
 };
\ No newline at end of file