diff --git a/defaults/main.yml b/defaults/main.yml
index a7b7f91..2cf80fd 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -33,7 +33,7 @@ bind9_options:
   allow_update_forwarding: []
   auth_nxdomain: false
   blackhole: []
-  dnssec_validations: true
+  dnssec_validation: true
   forwarders:
   - ip: "8.8.8.8"               # Google IPv4
     port: "53"
@@ -60,6 +60,14 @@ bind9_options:
   minimal_responses: "no"
   notify: "yes"
   recursion: "yes"
+  update_policies: []
+  # - action: grant
+  #   identity: keyname
+  #   ruletype: name
+  #   name: _acme-challenge.example.com.
+  #   types:
+  #   - TXT
+
   transfer_format: "many-answers"
 
 bind9_tsigkeys: []
diff --git a/templates/etc/named/named.conf.views.j2 b/templates/etc/named/named.conf.views.j2
index 7da32f7..7fc8d93 100644
--- a/templates/etc/named/named.conf.views.j2
+++ b/templates/etc/named/named.conf.views.j2
@@ -224,6 +224,22 @@ view "{{ view.name }}" {
 
     type {{ zone.type }};
 
+    # The update-policy clause allows more fine-grained control over which
+    # updates are allowed. It specifies a set of rules, in which each rule
+    # either grants or denies permission for one or more names in the zone to be
+    # updated by one or more identities. Identity is determined by the key that
+    # signed the update request, using either TSIG or SIG(0).
+    # https://bind9.readthedocs.io/en/v9_16_5/reference.html#dynamic-update-policies
+{% if zone.update_policies is defined and zone.update_policies | length > 0 %}
+    update-policy {
+{% for update_policy in zone.update_policies %}
+      {{ update_policy.action }} {{ update_policy.identity }} {{ update_policy.ruletype }} {{ update_policy.name | default('') }} {{ update_policy.types | default('') | join(' ') }};
+{% endfor %}
+    };
+{% else %}
+    # update-policy {};
+{% endif %}
+
   };
 
 {% endfor %}