diff --git a/token-validator/domain.go b/token-validator/domain.go
index 46f3994..2497a72 100644
--- a/token-validator/domain.go
+++ b/token-validator/domain.go
@@ -15,12 +15,12 @@ import (
 	"git.nemunai.re/lectures/adlin/libadlin"
 )
 
-const (
+var (
 	ControlSocket = "[2a01:e0a:2b:2250::b]:53"
+	tsigName      = "ddns."
+	tsigSecret    = ""
 )
 
-var tsigSecret = map[string]string{"ddns.": "so6ZGir4GPAqINNh9U5c3A=="}
-
 func init() {
 	router.GET("/api/adomains/", apiAuthHandler(func(student adlin.Student, ps httprouter.Params, body []byte) (interface{}, error) {
 		return student.GetAssociatedDomains(), nil
@@ -139,9 +139,9 @@ func parseZoneRead(globalDomain string, domain string) (rr []Entry, err error) {
 	t := new(dns.Transfer)
 
 	m := new(dns.Msg)
-	t.TsigSecret = tsigSecret
+	t.TsigSecret = map[string]string{tsigName: tsigSecret}
 	m.SetAxfr(globalDomain)
-	m.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	m.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	c, err := t.In(m, ControlSocket)
 	if err != nil {
@@ -227,8 +227,8 @@ func delAssociatedDomains(student adlin.Student, dn string) (err error) {
 	m1.Remove(rrs)
 
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	_, _, err = c.Exchange(m1, ControlSocket)
 	if err != nil {
@@ -267,8 +267,8 @@ func AddAssociatedDomains(student adlin.Student, aaaa net.IP) (err error) {
 	m2.Insert([]dns.RR{rrAAAA})
 
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
-	m2.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
+	m2.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	_, _, err = c.Exchange(m2, ControlSocket)
 	return
@@ -314,8 +314,8 @@ func AddNSDelegatedDomain(student adlin.Student, dn string, ttl uint32, ns strin
 		m1.Insert([]dns.RR{rrNS})
 
 		c := new(dns.Client)
-		c.TsigSecret = tsigSecret
-		m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+		c.TsigSecret = map[string]string{tsigName: tsigSecret}
+		m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 		_, _, err = c.Exchange(m1, ControlSocket)
 	}
@@ -342,8 +342,8 @@ func UpdateNSDelegatedDomain(student adlin.Student, dn string, ttl uint32, oldns
 		m1.Insert([]dns.RR{rrNS})
 
 		c := new(dns.Client)
-		c.TsigSecret = tsigSecret
-		m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+		c.TsigSecret = map[string]string{tsigName: tsigSecret}
+		m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 		_, _, err = c.Exchange(m1, ControlSocket)
 	}
@@ -379,8 +379,8 @@ func AddGLUEDelegatedDomain(student adlin.Student, dn string, ttl uint32, aaaa s
 	m1.Insert([]dns.RR{rr})
 
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	_, _, err = c.Exchange(m1, ControlSocket)
 
@@ -422,8 +422,8 @@ func UpdateGLUEDelegatedDomain(student adlin.Student, dn string, ttl uint32, old
 	m1.Insert([]dns.RR{rr})
 
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	_, _, err = c.Exchange(m1, ControlSocket)
 	return
@@ -472,8 +472,8 @@ func AddDSDelegatedDomain(student adlin.Student, dn string, ttl uint32, rdata st
 	m1.Insert([]dns.RR{ds})
 
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	_, _, err = c.Exchange(m1, ControlSocket)
 	return
@@ -506,8 +506,8 @@ func DeleteRRDelegatedDomain(student adlin.Student, dn string, rr string, values
 	m1.Remove([]dns.RR{rrr})
 
 	c := new(dns.Client)
-	c.TsigSecret = tsigSecret
-	m1.SetTsig("rndc-key.", dns.HmacSHA256, 300, time.Now().Unix())
+	c.TsigSecret = map[string]string{tsigName: tsigSecret}
+	m1.SetTsig(tsigName, dns.HmacSHA256, 300, time.Now().Unix())
 
 	_, _, err = c.Exchange(m1, ControlSocket)
 
diff --git a/token-validator/main.go b/token-validator/main.go
index 0937ad1..c2fdefa 100644
--- a/token-validator/main.go
+++ b/token-validator/main.go
@@ -59,12 +59,25 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
 }
 
 func main() {
+	if v, exists := os.LookupEnv("ADLIN_NS_HOST"); exists {
+		ControlSocket = v
+	}
+	if v, exists := os.LookupEnv("ADLIN_TSIG_NAME"); exists {
+		tsigName = v
+	}
+	if v, exists := os.LookupEnv("ADLIN_TSIG_SECRET"); exists {
+		tsigSecret = v
+	}
+
 	var bind = flag.String("bind", ":8081", "Bind port/socket")
 	var dsn = flag.String("dsn", adlin.DSNGenerator(), "DSN to connect to the MySQL server")
 	flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
 	flag.StringVar(&adlin.SharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
 	flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
 	flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
+	flag.StringVar(&ControlSocket, "ns-host", ControlSocket, "Host:port of the nameserver to use")
+	flag.StringVar(&tsigName, "tsig-name", tsigName, "TSIG name to use to contact NS")
+	flag.StringVar(&tsigSecret, "tsig-secret", tsigSecret, "TSIG secret to use to contact NS")
 	var dummyauth = flag.Bool("dummyauth", false, "don't perform password check")
 	flag.Parse()