diff --git a/nix/nixos-module/container/dns.nix b/nix/nixos-module/container/dns.nix
index cfc466f..78ea8be 100644
--- a/nix/nixos-module/container/dns.nix
+++ b/nix/nixos-module/container/dns.nix
@@ -332,11 +332,11 @@ in
         '';
       });
 
-    systemd.services.dynamic-zones = {
+    systemd.services.create-dynamic-zones = {
+      description = "Creates dynamic zone files";
       requiredBy = [ "bind.service" ];
       before = [ "bind.service" ];
       serviceConfig.Type = "oneshot";
-      # TODO: initial records
       script = ''
         mkdir -p /var/db/bind
 
@@ -350,5 +350,28 @@ in
         )}
       '';
     };
+    systemd.services.update-dynamic-zones = {
+      description = "Creates initial records in dynamic zone files";
+      requiredBy = [ "bind.service" ];
+      after = [ "bind.service" ];
+      serviceConfig.Type = "oneshot";
+      path = [ pkgs.dnsutils ];
+      script = ''
+        ${lib.concatMapStrings (zone: ''
+          nsupdate -y "hmac-sha256:dyndns:${inputs.zentralwerk-network-key.lib.dyndnsKey}" <<EOF
+          server localhost
+
+          ${lib.concatMapStringsSep "\n" ({ name, type, data }: ''
+            delete ${name}.${zone.name}. IN ${type}
+            add ${name}.${zone.name}. 3600 IN ${type} ${data}
+          '') zone.records}
+
+          send
+          EOF
+        '') (
+          builtins.filter ({ dynamic, ... }: dynamic) config.site.dns.localZones
+        )}
+      '';
+    };
   };
 }