diff --git a/bundles/powerdns/items.py b/bundles/powerdns/items.py
index b6a5e8f..c972f90 100644
--- a/bundles/powerdns/items.py
+++ b/bundles/powerdns/items.py
@@ -2,13 +2,14 @@ from datetime import datetime
 from os import listdir
 from os.path import isfile, join
 from subprocess import check_output
+from textwrap import dedent
 
 from bundlewrap.utils.ui import io
 
 zone_path = join(repo.path, 'data', 'powerdns', 'files', 'bind-zones')
 
 nameservers = set()
-for rnode in sorted(repo.nodes_in_group('dns')):
+for rnode in repo.nodes_in_group('dns'):
     nameservers.add(rnode.metadata.get('powerdns/my_hostname', rnode.metadata.get('hostname')))
 
 my_primary_servers = set()
@@ -75,25 +76,45 @@ actions = {
 }
 
 if node.metadata.get('powerdns/features/bind', False):
+    try:
+        output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip()
+        serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M')
+    except Exception as e:
+        io.stderr(f"{node.name}  Error while parsing commit time for powerdns zone serial: {e!r}")
+        serial = datetime.now().strftime('%y%m%d0000')
+
+    HEADER = dedent(f"""
+        $TTL 60
+        @       IN  SOA ns-mephisto.kunbox.net.    hostmaster.kunbox.net. (
+                {serial}
+                3600
+                600
+                86400
+                300
+            )
+    """).strip()
+
+    for ns in sorted(nameservers):
+        HEADER += f"\n@ IN NS {ns}."
+
     primary_zones = set()
     for zone in listdir(zone_path):
-        if not isfile(join(zone_path, zone)) or zone.startswith(".") or zone.startswith("_"):
+        if (
+            not (
+                isfile(join(zone_path, zone))
+                or islink(join(zone_path, zone))
+            )
+            or zone.startswith(".")
+            or zone.startswith("_")
+        ):
             continue
 
-        try:
-            output = check_output(['git', 'log', '-1', '--pretty=%ci']).decode('utf-8').strip()
-            serial = datetime.strptime(output, '%Y-%m-%d %H:%M:%S %z').strftime('%y%m%d%H%M')
-        except Exception as e:
-            io.stderr(f"Error while parsing commit time for {zone} serial: {e!r}")
-            serial = datetime.now().strftime('%y%m%d0000')
-
         primary_zones.add(zone)
 
         files[f'/var/lib/powerdns/zones/{zone}'] = {
             'content_type': 'mako',
             'context': {
-                'NAMESERVERS': '\n'.join(sorted({f'@ IN NS {ns}.' for ns in nameservers})),
-                'SERIAL': serial,
+                'HEADER': HEADER + f"\n$ORIGIN {zone}.",
                 'metadata_records': node.metadata.get(f'powerdns/bind-zones/{zone}/records', []),
             },
             'source': f'bind-zones/{zone}',
diff --git a/data/powerdns/files/bind-zones/_mail_NULL b/data/powerdns/files/bind-zones/_mail_NULL
new file mode 100644
index 0000000..907abc8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/_mail_NULL
@@ -0,0 +1,2 @@
+@       IN  TXT     "v=spf1 -all"
+_dmarc  IN  TXT     "v=DMARC1; p=reject"
diff --git a/data/powerdns/files/bind-zones/_mail_carlene b/data/powerdns/files/bind-zones/_mail_carlene
new file mode 100644
index 0000000..7a8e210
--- /dev/null
+++ b/data/powerdns/files/bind-zones/_mail_carlene
@@ -0,0 +1,11 @@
+@           IN  TXT     "v=spf1 mx -all"
+@           IN  MX      10 mail.franzi.business.
+_dmarc      IN  TXT     "v=DMARC1; p=quarantine; rua=mailto:dmarc@kunbox.net; ruf=mailto:dmarc@kunbox.net; fo=0:d:s; adkim=s; aspf=s"
+_mta-sts    IN  TXT     "v=STSv1;id=20201111;"
+_smtp._tls  IN  TXT     "v=TLSRPTv1;rua=mailto:tlsrpt@kunbox.net"
+
+mta-sts     IN  CNAME   carlene.kunbox.net.
+
+2019._domainkey                             IN  TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwkg6UAcu3V98hal1UVf6yB0WT1CKDS0AK83CUlSP8bUwraPxkxK1nkQOUsmjbQs6a3FhdsKprMi32GeUaTVvZg81JIybPk3jNugfNWfSjs2TXPomYu+XD2pmmbR3cZlzC5NGR2nmBFt/P/S2ihPHj35KziiBIwK1TdvOi1M2+upCjK33Icco0ByCm0gJpD2O0cbqcBcUKqd6X440vYhNXH1ygp0e91P0iRnvS9sg6yD0xjD8kD6j/8GfxBY+9bpU3EvDoBgyJSbjw5b6PUVJbKMXzw1NIRNj0SXKs5BakjS8+7u62vR11IPCYRwy+yr0rDT0tNegM7gStIIgoTpOoQIDAQAB"
+
+uo4anejdvvdw8bkne3kjiqavcqmj0416._domainkey IN  TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnh5Ym9PO7r+wdOIKfopvHzn3KU3qT6IlCG/gvvbmIqoeFQfRbAe3gQmcG6RcLue55cJQGhI6y2r0lm59ZeoHR40aM+VabAOlplekM7xWmoXb/9vG2OZLIqAyF4I+7GQmTN6B9keBHp9SWtDUkI0B0G9neZ5MkXJP705M0duxritqQlb4YvCZwteHiyckKcg9aE9j+GF2EEawBoVDpoveoB3+wgde3lWEUjjwKFtXNXxuN354o6jgXgPNWtIEdPMLfK/o0CaCjZNlzaLTsTegY/+67hdHFqDmm8zXO9s+Xiyfq7CVq21t7wDhQ2W1agj+up6lH82FMh5rZNxJ6XB0yQIDAQAB"
diff --git a/data/powerdns/files/bind-zones/_parked b/data/powerdns/files/bind-zones/_parked
new file mode 100644
index 0000000..8331fc4
--- /dev/null
+++ b/data/powerdns/files/bind-zones/_parked
@@ -0,0 +1,3 @@
+${HEADER}
+
+<%include file="bind-zones/_mail_NULL" />
diff --git a/data/powerdns/files/bind-zones/afra.berlin b/data/powerdns/files/bind-zones/afra.berlin
new file mode 100644
index 0000000..93ffc96
--- /dev/null
+++ b/data/powerdns/files/bind-zones/afra.berlin
@@ -0,0 +1,6 @@
+${HEADER}
+
+@   IN  AAAA    2a0a:51c0:0:225::2
+@   IN  A       193.135.9.29
+
+<%include file="bind-zones/_mail_NULL" />
diff --git a/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/die-brontosaurier-waren-es.org
@@ -0,0 +1 @@
+_parked
\ No newline at end of file
diff --git a/data/powerdns/files/bind-zones/emails.sexy b/data/powerdns/files/bind-zones/emails.sexy
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/emails.sexy
@@ -0,0 +1 @@
+_parked
\ No newline at end of file
diff --git a/data/powerdns/files/bind-zones/eskalation.jetzt b/data/powerdns/files/bind-zones/eskalation.jetzt
new file mode 100644
index 0000000..8331fc4
--- /dev/null
+++ b/data/powerdns/files/bind-zones/eskalation.jetzt
@@ -0,0 +1,3 @@
+${HEADER}
+
+<%include file="bind-zones/_mail_NULL" />
diff --git a/data/powerdns/files/bind-zones/felix-kunsmann.de b/data/powerdns/files/bind-zones/felix-kunsmann.de
new file mode 100644
index 0000000..42bac92
--- /dev/null
+++ b/data/powerdns/files/bind-zones/felix-kunsmann.de
@@ -0,0 +1,3 @@
+${HEADER}
+
+<%include file="bind-zones/_mail_carlene" />
diff --git a/data/powerdns/files/bind-zones/flauschehorn.sexy b/data/powerdns/files/bind-zones/flauschehorn.sexy
new file mode 100644
index 0000000..4779fe4
--- /dev/null
+++ b/data/powerdns/files/bind-zones/flauschehorn.sexy
@@ -0,0 +1,8 @@
+${HEADER}
+
+@   IN  AAAA    2a03:4000:4d:5e::1
+@   IN  A       194.36.145.49
+
+<%include file="bind-zones/_mail_carlene" />
+
+_acme-challenge IN  CNAME   63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.ctu.cx.
diff --git a/data/powerdns/files/bind-zones/franzi.business b/data/powerdns/files/bind-zones/franzi.business
new file mode 100644
index 0000000..ce864a7
--- /dev/null
+++ b/data/powerdns/files/bind-zones/franzi.business
@@ -0,0 +1,29 @@
+${HEADER}
+
+@   IN  AAAA    2a0a:51c0:0:225::2
+@   IN  A       193.135.9.29
+
+<%include file="bind-zones/_mail_carlene" />
+
+_atproto        IN  TXT     "did=did:plc:d762mg6wvvmpeu66zojntlof"
+_token._dnswl   IN  TXT     "gg3mbwjx9bbuo5osvh7oz6bc881wcmc"
+_matrix._tcp    IN  SRV     10 10 443 matrix.franzi.business.
+
+; carlene
+git             IN  CNAME   carlene.kunbox.net.
+irc             IN  CNAME   carlene.kunbox.net.
+mail            IN  CNAME   carlene.kunbox.net.
+matrix          IN  CNAME   carlene.kunbox.net.
+matrix-stickers IN  CNAME   carlene.kunbox.net.
+netbox          IN  CNAME   carlene.kunbox.net.
+ntfy            IN  CNAME   carlene.kunbox.net.
+postfixadmin    IN  CNAME   carlene.kunbox.net.
+rss             IN  CNAME   carlene.kunbox.net.
+travelynx       IN  CNAME   carlene.kunbox.net.
+
+; icinga2
+icinga          IN  CNAME   icinga2.kunbox.net.
+status          IN  CNAME   icinga2.kunbox.net.
+
+; pretix
+tickets         IN  CNAME   franzi-business.cname.pretix.eu.
diff --git a/data/powerdns/files/bind-zones/kunbox.net b/data/powerdns/files/bind-zones/kunbox.net
index bb45655..2292b7d 100644
--- a/data/powerdns/files/bind-zones/kunbox.net
+++ b/data/powerdns/files/bind-zones/kunbox.net
@@ -1,16 +1,4 @@
-$TTL 60
-@       IN  SOA ns-mephisto.kunbox.net.    hostmaster.kunbox.net. (
-        ${SERIAL}
-        3600
-        600
-        86400
-        300
-    )
-
-
-${NAMESERVERS}
-
-$ORIGIN kunbox.net.
+${HEADER}
 
 ; ends up on carlene.kunbox.net
 @                   IN  A       193.135.9.29
diff --git a/data/powerdns/files/bind-zones/kunsi.scot b/data/powerdns/files/bind-zones/kunsi.scot
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/kunsi.scot
@@ -0,0 +1 @@
+_parked
\ No newline at end of file
diff --git a/data/powerdns/files/bind-zones/kunsitracker.de b/data/powerdns/files/bind-zones/kunsitracker.de
new file mode 100644
index 0000000..9c641b6
--- /dev/null
+++ b/data/powerdns/files/bind-zones/kunsitracker.de
@@ -0,0 +1,6 @@
+${HEADER}
+
+@   IN  AAAA    2a0a:51c0:0:225::2
+@   IN  A       193.135.9.29
+
+<%include file="bind-zones/_mail_carlene" />
diff --git a/data/powerdns/files/bind-zones/kunsmann.eu b/data/powerdns/files/bind-zones/kunsmann.eu
new file mode 100644
index 0000000..f5b8acf
--- /dev/null
+++ b/data/powerdns/files/bind-zones/kunsmann.eu
@@ -0,0 +1,14 @@
+${HEADER}
+
+@   IN  AAAA    2a0a:51c0:0:225::2
+@   IN  A       193.135.9.29
+
+<%include file="bind-zones/_mail_carlene" />
+
+@               IN  TXT     "google-site-verification=Xl-OBZpTL1maD2Qr8QmQ2aKRXZLnCmvddpFdrTT8L34"
+
+_token._dnswl   IN  TXT     "5mx0rv9ru8s1zz4tf4xlt48osh09czmg"
+
+git             IN  CNAME   git.franzi.business.
+grafana         IN  CNAME   influxdb.htz-cloud.kunbox.net.
+influxdb        IN  CNAME   influxdb.htz-cloud.kunbox.net.
diff --git a/data/powerdns/files/bind-zones/raptor.events b/data/powerdns/files/bind-zones/raptor.events
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/raptor.events
@@ -0,0 +1 @@
+_parked
\ No newline at end of file
diff --git a/data/powerdns/files/bind-zones/trans-agenda.de b/data/powerdns/files/bind-zones/trans-agenda.de
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/trans-agenda.de
@@ -0,0 +1 @@
+_parked
\ No newline at end of file
diff --git a/data/powerdns/files/bind-zones/trans-agenda.eu b/data/powerdns/files/bind-zones/trans-agenda.eu
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/trans-agenda.eu
@@ -0,0 +1 @@
+_parked
\ No newline at end of file
diff --git a/data/powerdns/files/bind-zones/warnochwas.de b/data/powerdns/files/bind-zones/warnochwas.de
new file mode 100644
index 0000000..9c641b6
--- /dev/null
+++ b/data/powerdns/files/bind-zones/warnochwas.de
@@ -0,0 +1,6 @@
+${HEADER}
+
+@   IN  AAAA    2a0a:51c0:0:225::2
+@   IN  A       193.135.9.29
+
+<%include file="bind-zones/_mail_carlene" />
diff --git a/data/powerdns/files/bind-zones/winkeeinhorn.de b/data/powerdns/files/bind-zones/winkeeinhorn.de
new file mode 120000
index 0000000..e0f69f8
--- /dev/null
+++ b/data/powerdns/files/bind-zones/winkeeinhorn.de
@@ -0,0 +1 @@
+_parked
\ No newline at end of file