diff --git a/flake.nix b/flake.nix
index 7e60698..1bf7799 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
   };
 
   outputs =
-    { nixpkgs, dns, ... }@inputs:
+    { self, nixpkgs, dns, ... }@inputs:
     let
       inherit (nixpkgs) lib;
       systems = [
@@ -19,29 +19,28 @@
         "aarch64-linux"
         "aarch64-darwin"
       ];
-      forAllSystems = f: lib.genAttrs systems f;
+      forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system nixpkgs.legacyPackages.${system});
     in
     {
-      packages = forAllSystems (
-        system:
-        let
-          pkgs = nixpkgs.legacyPackages.${system};
-        in
-        rec {
-          zoneFiles = pkgs.callPackage ./zoneConfig.nix {
-            inherit dns;
-          };
+      packages = forAllSystems (system: pkgs: rec {
+        zoneFiles = pkgs.callPackage ./zoneConfig.nix {
+          inherit dns;
+        };
 
-          nsdConfig = pkgs.callPackage ./nsd.conf.nix { inherit pkgs; };
+        nsdConfig = pkgs.callPackage ./nsd.conf.nix { };
 
-          default = pkgs.runCommand "pvv-dns" { } ''
-            mkdir -p $out/zones
-            mkdir -p $out/etc/nsd
+        default = pkgs.runCommand "pvv-dns" { } ''
+          mkdir -p $out/zones
+          mkdir -p $out/etc/nsd
 
-            cp -r ${zoneFiles}/* $out/zones/
-            cp -r ${nsdConfig} $out/etc/nsd/nsd.conf
-          '';
-        }
-      );
+          cp -r ${zoneFiles}/* $out/zones/
+          cp -r ${nsdConfig} $out/etc/nsd/nsd.conf
+        '';
+      });
+
+      checks = forAllSystems (system: _: rec {
+        zoneFiles = self.packages.${system}.zoneFiles.overrideAttrs { doCheck = true; };
+        nsdConfig = self.packages.${system}.nsdConfig.overrideAttrs { doCheck = true; };
+      });
     };
 }
diff --git a/nsd.conf.nix b/nsd.conf.nix
index 6b4b3bf..1c0a198 100644
--- a/nsd.conf.nix
+++ b/nsd.conf.nix
@@ -1,9 +1,19 @@
-{ pkgs, ... }:
+{
+  lib,
+  stdenvNoCC,
+  nsd,
+}:
 let
   sourceIP = "129.241.210.211"; # dvask.pvv.ntnu.no
 in
-pkgs.writeText "nsd.conf" (
-  ''
+stdenvNoCC.mkDerivation {
+  name = "nsd.conf";
+
+  dontUnpack = true;
+  dontBuild = true;
+
+  passAsFile = [ "configFile" ];
+  configFile = ''
     # Generated by https://git.pvv.ntnu.no/felixalb/PVV-DNS
     # See man 5 nsd.conf
 
@@ -56,5 +66,26 @@ pkgs.writeText "nsd.conf" (
         "pvv.ntnu.no"
         "pvv.org"
       ]
-  ))
-)
+  ));
+
+  doCheck = false;
+  nativeCheckInputs = [ nsd ];
+  checkPhase = ''
+    runHook preCheck
+
+    nsd-checkconf "$configFilePath"
+    echo 'nsd.conf is ok'
+
+    runHook postCheck
+  '';
+
+  installPhase = ''
+    runHook preCheck
+
+    install -Dm444 "$configFilePath" "$out"
+
+    runHook postCheck
+  '';
+
+  doFixup = false;
+}
diff --git a/zoneConfig.nix b/zoneConfig.nix
index c6a2b37..331cc05 100644
--- a/zoneConfig.nix
+++ b/zoneConfig.nix
@@ -4,6 +4,7 @@
 
   stdenvNoCC,
   writeText,
+  nsd,
 }:
 
 let
@@ -33,4 +34,14 @@ stdenvNoCC.mkDerivation {
     mkdir -p $out
   ''
   + (lib.concatMapAttrsStringSep "\n" (name: path: "cp ${path} $out/${name}.zone") zoneConfigs);
+
+  doCheck = false;
+  nativeCheckInputs = [ nsd ];
+  checkPhase = ''
+    runHook preCheck
+
+    ${lib.concatMapAttrsStringSep "\n" (name: zonefile: "nsd-checkzone '${name}' '${zonefile}'") zoneConfigs}
+
+    runHook postCheck
+  '';
 }