diff --git a/dnsapi.md b/dnsapi.md
index 7caebd7..ebe95b2 100644
--- a/dnsapi.md
+++ b/dnsapi.md
@@ -155,6 +155,17 @@ zone "example.com" {
     };
 }
 ```
+Notes on BIND 9.16.1-Ubuntu 20.04.3 LTS
+
+```
+# dnssec-keygen no longer do tsig algorithm, so tsig-keygen (came with bind9)
+tsig-keygen -a hmac-sha512 acme | sudo tee /etc/bind/acme.key
+# as nsupdate need creation of *.jnl where zone file resides, read /var/log/syslog for error details
+sudo chmod g+w /etc/bind
+# similar to above steps: include key, allow-update with key on target zone
+# echo 'include "/etc/bind/acme.key";' | sudo tee --append /etc/bind/named.conf.local
+```
+
 
 Finally, make the DNS server and update Key available to `acme.sh`