diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 74c31eca2..18e56e279 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -6,6 +6,8 @@ Changes in 4.2.0-Beta2
 
 3)  HELPER column in tcrules.
 
+4)  De-implement DYNAMIC_ZONES=Yes in Shorewall-perl.
+
 Changes in 4.2.0-Beta1
 
 1)  Fix handling of firewall marks.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 9b4b79b5f..f5dca1a9f 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -75,6 +75,9 @@ Migration Issues.
     Note that there is a new 'Rfc1918' macro that acts on addresses
     reserved by RFC 1918.
 
+7)  DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
+    ipset-based zones instead.
+
 Problems Corrected in Shorewall 4.2.0 Beta 2
 
 1) When 'norfc1918' was specified on an interface with an RFC 1918 IP
@@ -118,7 +121,9 @@ Other Changes in Shoreall 4.2.0 Beta 2.
    column names one of the Netfilter protocol 'helper' module sets
    (ftp, sip, amanda, etc).
 
-   See http://www.shorewall.net/traffic_shaping.htm for an example. 
+   See http://www.shorewall.net/traffic_shaping.htm for an example.
+
+3) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.
     
 None.
 
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index cc3c7880d..7c8460894 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -589,16 +589,12 @@ sub chain_base($) {
     $chain;
 }
 
-sub chain_base_cond($) {
-    $config{DYNAMIC_ZONES} ? chain_base($_[0]) : $_[0];
-}
-
 #
 # Forward Chain for an interface
 #
 sub forward_chain($)
 {
-    chain_base_cond($_[0]) . '_fwd';
+    chain_base($_[0]) . '_fwd';
 }
 
 #
@@ -625,7 +621,7 @@ sub use_forward_chain($) {
 #
 sub input_chain($)
 {
-    chain_base_cond($_[0]) . '_in';
+    chain_base($_[0]) . '_in';
 }
 
 #
@@ -669,7 +665,7 @@ sub use_input_chain($) {
 #
 sub output_chain($)
 {
-    chain_base_cond($_[0]) . '_out';
+    chain_base_($_[0]) . '_out';
 }
 
 #
@@ -713,7 +709,7 @@ sub use_output_chain($) {
 #
 sub masq_chain($)
 {
-     chain_base_cond($_[0]) . '_masq';
+     chain_base($_[0]) . '_masq';
 }
 
 #
@@ -728,12 +724,12 @@ sub syn_flood_chain ( $ ) {
 #
 sub mac_chain( $ )
 {
-    chain_base_cond($_[0]) . '_mac';
+    chain_base($_[0]) . '_mac';
 }
 
 sub macrecent_target($)
 {
-     $config{MACLIST_TTL} ? chain_base_cond($_[0]) . '_rec' : 'RETURN';
+     $config{MACLIST_TTL} ? chain_base($_[0]) . '_rec' : 'RETURN';
 }
 
 #
@@ -741,22 +737,22 @@ sub macrecent_target($)
 #
 sub dynamic_fwd( $ )
 {
-    chain_base_cond($_[0]) . '_dynf';
+    chain_base($_[0]) . '_dynf';
 }
 
 sub dynamic_in( $ )
 {
-    chain_base_cond($_[0]) . '_dyni';
+    chain_base($_[0]) . '_dyni';
 }
 
 sub dynamic_out( $ ) # $1 = interface
 {
-    chain_base_cond($_[0]) . '_dyno';
+    chain_base($_[0]) . '_dyno';
 }
 
 sub dynamic_chains( $ ) #$1 = interface
 {
-    my $c = chain_base_cond($_[0]);
+    my $c = chain_base($_[0]);
 
     ( $c . '_dyni' , $c . '_dynf' , $c . '_dyno' );
 }
@@ -771,7 +767,7 @@ sub zone_dynamic_chain( $ ) # $1 = zone
 #
 sub dnat_chain( $ )
 {
-    chain_base_cond($_[0]) . '_dnat';
+    chain_base($_[0]) . '_dnat';
 }
 
 #
@@ -779,7 +775,7 @@ sub dnat_chain( $ )
 #
 sub snat_chain( $ )
 {
-    chain_base_cond($_[0]) . '_snat';
+    chain_base($_[0]) . '_snat';
 }
 
 #
@@ -787,7 +783,7 @@ sub snat_chain( $ )
 #
 sub ecn_chain( $ )
 {
-    chain_base_cond($_[0]) . '_ecn';
+    chain_base($_[0]) . '_ecn';
 }
 
 #
@@ -795,7 +791,7 @@ sub ecn_chain( $ )
 #
 sub first_chains( $ ) #$1 = interface
 {
-    my $c = chain_base_cond($_[0]);
+    my $c = chain_base($_[0]);
 
     ( $c . '_fwd', $c . '_in' );
 }
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 15759b8e9..c0784c1b5 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -1870,7 +1870,7 @@ sub get_configuration( $ ) {
     default_yes_no 'DISABLE_IPV6'               , '';
     default_yes_no 'DYNAMIC_ZONES'              , '';
 
-    fatal_error "DYNAMIC_ZONES=Yes is incompatible with the -e option" if $config{DYNAMIC_ZONES} && $export;
+    fatal_error "DYNAMIC_ZONES=Yes is not supported by Shorewall-perl $global{VERSION}" if $config{DYNAMIC_ZONES};
 
     default_yes_no 'BRIDGING'                   , '';
 
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 913480efd..2e7079410 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -638,20 +638,6 @@ sub add_common_rules() {
 	}
     }
 
-    if ( $config{DYNAMIC_ZONES} ) {
-	for $interface ( all_interfaces ) {
-	    for $chain ( dynamic_chains $interface ) {
-		new_standard_chain $chain;
-	    }
-
-	    new_nat_chain( $chain = dynamic_in($interface) );
-
-	    add_rule $filter_table->{input_chain $interface},   '-j ' . dynamic_in  $interface; 
-	    add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
-	    add_rule $filter_table->{output_chain $interface},  '-j ' . dynamic_out $interface;
-	}
-    }
-
     $list = find_interfaces_by_option 'upnp';
 
     if ( @$list ) {
@@ -1573,10 +1559,6 @@ sub generate_matrix() {
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
 
-	    if ( $config{DYNAMIC_ZONES} ) {
-		create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' );
-	    }
-
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 		my $sourcechainref;
 		my $interfacematch = '';
@@ -1625,11 +1607,6 @@ sub generate_matrix() {
 	    insert_exclusions $dnatref, $exclusions if $dnatref->{referenced};
 	}
 
-	if ( $config{DYNAMIC_ZONES} ) {
-	    push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
-	    push @rule_chains , [ $zone , firewall_zone , $chain2 ];
-	}
-
 	if ( $nested ) {
 	    #
 	    # This is a sub-zone. We need to determine if
@@ -1831,8 +1808,6 @@ sub generate_matrix() {
 
 	    next unless $chain; # CONTINUE policy with no rules
 
-	    push @rule_chains, [ $zone , $zone1 , $chain ] if $config{DYNAMIC_ZONES};
-
 	    my $num_ifaces = 0;
 
 	    if ( $zone eq $zone1 ) {
@@ -1952,13 +1927,6 @@ sub generate_matrix() {
 
     addnatjump 'PREROUTING'  , 'nat_in'  , '';
     addnatjump 'POSTROUTING' , 'nat_out' , '';
-
-    if ( $config{DYNAMIC_ZONES} ) {
-	for my $interface ( @interfaces ) {
-	    addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );
-	}
-    }
-
     addnatjump 'PREROUTING', 'dnat', '';
 
     for my $interface ( @interfaces ) {
diff --git a/docs/IPSEC.xml b/docs/IPSEC.xml
index f64fd5bdb..d88268197 100644
--- a/docs/IPSEC.xml
+++ b/docs/IPSEC.xml
@@ -403,7 +403,11 @@ ipsec       net        0.0.0.0/0</programlisting>
     zones and add and delete remote endpoints dynamically using
     /sbin/shorewall. With Shorewall 2.0.2 Beta 1 and later versions, this
     capability must be enabled by setting DYNAMIC_ZONES=Yes in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink>.</para>
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>.<important>
+        <para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 or
+        later versions. Use <ulink url="ipsets.html#Dynamic">dynamic zones
+        defined by ipsets</ulink> instead.</para>
+      </important></para>
 
     <para>In /etc/shorewall/zones:</para>
 
diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml
index bbbf3d066..5025d9da8 100644
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -482,6 +482,9 @@
           role="bold">yes</emphasis>, enables dynamic zones. DYNAMIC_ZONES=Yes
           is not allowed in configurations that will run under Shorewall
           Lite.</para>
+
+          <para>DYNAMIC_ZONES=Yes is not supported by Shorewall-perl 4.2.0 and
+          later.</para>
         </listitem>
       </varlistentry>