diff --git a/management/dns_update.py b/management/dns_update.py
index 41cb0530..1849efd9 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -105,9 +105,9 @@ def do_dns_update(env, force=False):
 		if len(updated_domains) == 0:
 			updated_domains.append("DNS configuration")
 
-	# Kick nsd if anything changed.
+	# Tell nsd to reload changed zone files.
 	if len(updated_domains) > 0:
-		shell('check_call', ["/usr/sbin/service", "nsd", "restart"])
+		shell('check_call', ["/usr/sbin/nsd-control", "reload"])
 
 	# Write the OpenDKIM configuration tables for all of the mail domains.
 	from mailconfig import get_mail_domains
diff --git a/setup/dns.sh b/setup/dns.sh
index a6fe7dd9..e82ba8b1 100755
--- a/setup/dns.sh
+++ b/setup/dns.sh
@@ -107,6 +107,9 @@ EOF
 echo "Installing nsd (DNS server)..."
 apt_install nsd ldnsutils openssh-client
 
+# Make sure nsd is running and has the latest configuration
+restart_service nsd
+
 # Create DNSSEC signing keys.
 
 mkdir -p "$STORAGE_ROOT/dns/dnssec";
diff --git a/setup/management.sh b/setup/management.sh
index 18bd75f6..385390bd 100755
--- a/setup/management.sh
+++ b/setup/management.sh
@@ -16,18 +16,6 @@ echo "Installing Mail-in-a-Box system management daemon..."
 
 # DEPENDENCIES
 
-# We used to install management daemon-related Python packages
-# directly to /usr/local/lib. We moved to a virtualenv because
-# these packages might conflict with apt-installed packages.
-# We may have a lingering version of acme that conflcits with
-# certbot, which we're about to install below, so remove it
-# first. Once acme is installed by an apt package, this might
-# break the package version and `apt-get install --reinstall python3-acme`
-# might be needed in that case.
-while [ -d /usr/local/lib/python3.4/dist-packages/acme ]; do
-	pip3 uninstall -y acme;
-done
-
 # duplicity is used to make backups of user data.
 #
 # virtualenv is used to isolate the Python 3 packages we
@@ -99,6 +87,8 @@ rm -f /tmp/bootstrap.zip
 
 # Create an init script to start the management daemon and keep it
 # running after a reboot.
+# Set a long timeout since some commands take a while to run, matching
+# the timeout we set for PHP (fastcgi_read_timeout in the nginx confs).
 # Note: Authentication currently breaks with more than 1 gunicorn worker.
 cat > $inst_dir/start <<EOF;
 #!/bin/bash
@@ -114,7 +104,7 @@ chmod 640 /var/lib/mailinabox/api.key
 
 source $venv/bin/activate
 export PYTHONPATH=$(pwd)/management:${LOCAL_MODS_DIR:-$(pwd)/local}
-exec gunicorn --log-level ${MGMT_LOG_LEVEL:-info} -b localhost:10222 -w 1 wsgi:app
+exec gunicorn --log-level ${MGMT_LOG_LEVEL:-info} -b localhost:10222 -w 1 --timeout 630 wsgi:app
 EOF
 chmod +x $inst_dir/start
 cp --remove-destination conf/mailinabox.service /lib/systemd/system/mailinabox.service # target was previously a symlink so remove it first
diff --git a/setup/nextcloud.sh b/setup/nextcloud.sh
index 258eb12a..f894a3e0 100755
--- a/setup/nextcloud.sh
+++ b/setup/nextcloud.sh
@@ -38,8 +38,8 @@ echo "Installing Nextcloud (contacts/calendar)..."
 #   we automatically install intermediate versions as needed.
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
 #   copying it from the error message when it doesn't match what is below.
-nextcloud_ver=23.0.4
-nextcloud_hash=87afec0bf90b3c66289e6fedd851867bc5a58f01
+nextcloud_ver=23.0.8
+nextcloud_hash=9d63416a0697eeecf243d09461f5881f8997f50a
 
 # Nextcloud apps
 # --------------
@@ -50,12 +50,12 @@ nextcloud_hash=87afec0bf90b3c66289e6fedd851867bc5a58f01
 #   https://github.com/nextcloud/user_external/blob/master/appinfo/info.xml
 # * The hash is the SHA1 hash of the ZIP package, which you can find by just running this script and
 #   copying it from the error message when it doesn't match what is below.
-contacts_ver=4.1.1
-contacts_hash=7508069a6d2b46d216df5333e3295c19151dcc50
-calendar_ver=3.4.0
-calendar_hash=8667c3b47012bfee5545daa30dcc68ef8d39d493
-user_external_ver=v3.0.0
-user_external_hash=
+contacts_ver=4.2.0
+contacts_hash=79b506574834db5e1b6ab47aadd4041e12ad9a9c
+calendar_ver=3.5.0
+calendar_hash=941381536287a015081669513f8f79f6f262508a
+user_external_ver=3.0.0
+user_external_hash=0df781b261f55bbde73d8c92da3f99397000972f
 
 # Clear prior packages and install dependencies from apt.
 
@@ -104,11 +104,11 @@ InstallNextcloud() {
 	# their github repositories.
 	mkdir -p /usr/local/lib/owncloud/apps
 
-	wget_verify https://github.com/nextcloud-releases/contacts/releases/download/v$version_contacts/contacts-v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
+	wget_verify https://github.com/nextcloud-releases/contacts/archive/refs/tags/v$version_contacts.tar.gz $hash_contacts /tmp/contacts.tgz
 	tar xf /tmp/contacts.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/contacts.tgz
 
-	wget_verify https://github.com/nextcloud-releases/calendar/releases/download/v$version_calendar/calendar-v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz
+	wget_verify https://github.com/nextcloud-releases/calendar/archive/refs/tags/v$version_calendar.tar.gz $hash_calendar /tmp/calendar.tgz
 	tar xf /tmp/calendar.tgz -C /usr/local/lib/owncloud/apps/
 	rm /tmp/calendar.tgz
 
@@ -120,7 +120,7 @@ InstallNextcloud() {
 			git_clone https://github.com/nextcloud/user_external.git "$version_user_external" '' /usr/local/lib/owncloud/apps/user_external
 	else
 			# otherwise, download a release
-			wget_verify https://github.com/nextcloud/user_external/releases/download/v$version_user_external/user_external-$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz
+			wget_verify https://github.com/nextcloud-releases/user_external/releases/download/v$version_user_external/user_external-v$version_user_external.tar.gz $hash_user_external /tmp/user_external.tgz
 			tar -xf /tmp/user_external.tgz -C /usr/local/lib/owncloud/apps/
 			rm /tmp/user_external.tgz
 		fi
diff --git a/tests/system-setup/setup-funcs.sh b/tests/system-setup/setup-funcs.sh
index f9d63df5..532fa2c7 100755
--- a/tests/system-setup/setup-funcs.sh
+++ b/tests/system-setup/setup-funcs.sh
@@ -329,6 +329,18 @@ upstream_install() {
     if [ ! -e setup/start.sh ]; then
         die "Cannot install: the working directory must contain the source"
     fi
+
+    # Upstream expects a virgin system and we may have preinstalled
+    # nsd that was unable to start and is in the failed state
+    # (eg. could not bind to ::53 because named is also
+    # installed). Using `systemctl reset-failed` won't work becuase
+    # upstream's setup/dns.sh script doesn't start nsd - it only
+    # installs nsd using apt after creating nsd's configuration.
+    if systemctl is-failed --quiet nsd; then
+        echo "notice: removing nsd because systemd has it in the failed state"
+        exec_no_output apt-get remove -y nsd
+        #systemctl reset-failed nsd
+    fi
     
     if ! setup/start.sh; then
         echo "$F_WARN"