diff --git a/authoritative-dns.nix b/authoritative-dns.nix
index 9f7f9f9..8deac2d 100644
--- a/authoritative-dns.nix
+++ b/authoritative-dns.nix
@@ -76,9 +76,8 @@ in {
       stateDirectory = cfg.state-directory;
       zones = mapAttrs' (dom: domCfg:
         nameValuePair "${dom}." {
-          dnssec = zoneCfg.ksk.key-file != null;
-          ksk.keyFile =
-            mkIf (zoneCfg.ksk.key-file != null) zoneCfg.ksk.key-file;
+          dnssec = domCfg.ksk.key-file != null;
+          ksk.keyFile = mkIf (domCfg.ksk.key-file != null) domCfg.ksk.key-file;
           data = let content = zoneToZonefile cfg.timestamp dom domCfg.zone;
           in trace content content;
         }) cfg.domains;
diff --git a/nsd.nix b/nsd.nix
index 772c569..7413f00 100644
--- a/nsd.nix
+++ b/nsd.nix
@@ -24,6 +24,11 @@ let
 
   maybeConfig = prefix: x: if x == null then "" else ''${prefix} "${x}"'';
 
+  yesOrNo = b: if b then "yes" else "no";
+  maybeToString = prefix: x:
+    if x == null then "" else "${prefix} ${toString x}";
+  forEach = pre: l: concatMapStrings (x: pre + x + "\n") l;
+
   mkZoneFileName = name: if name == "." then "root" else name;
 
   # replaces include: directives for keys with fake keys for nsd-checkconf
@@ -142,11 +147,6 @@ let
     ${cfg.extraConfig}
   '';
 
-  yesOrNo = b: if b then "yes" else "no";
-  maybeToString = prefix: x:
-    if x == null then "" else "${prefix} ${toString x}";
-  forEach = pre: l: concatMapStrings (x: pre + x + "\n") l;
-
   keyConfigFile = concatStrings (mapAttrsToList (keyName: keyOptions: ''
     key:
       name:      "${keyName}"