diff --git a/CHANGES b/CHANGES
index c5b8922..6834e0e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+    -- make Net::Netmask optional
+
     -- byte range support for both webserver mode and reproxy-file mode
        Giao Phan <giao@guba.com>.  so clients can resume large transfers.
 
diff --git a/Makefile.PL b/Makefile.PL
index f8c4151..f2b37b7 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -24,10 +24,8 @@ WriteMakefile(
     ),
 
     PREREQ_PM               => {
-        'Linux::AIO'  => '1.3',
-        'Danga::Socket' => '1.36',
+        'Danga::Socket' => '1.43',
         'BSD::Resource' => 0,
-        'Net::Netmask' => 0,
         'Test::More' => 0,
         'File::Find' => 0,
     },
diff --git a/lib/Perlbal/BackendHTTP.pm b/lib/Perlbal/BackendHTTP.pm
index bda228b..75999d6 100644
--- a/lib/Perlbal/BackendHTTP.pm
+++ b/lib/Perlbal/BackendHTTP.pm
@@ -176,11 +176,7 @@ sub assign_client {
     $hds->header("X-Proxy-Capabilities", "reproxy-file");
 
     # decide whether we trust the upstream or not
-    my $trust = $self->{service}->{always_trusted}; # set to default auto-trust level
-    if ($self->{service} && $self->{service}->{trusted_upstreams}) {
-        $trust = 1
-            if $self->{service}->{trusted_upstreams}->match($client->peer_ip_string);
-    }
+    my $trust = $self->{service}->trusted_ip($client->peer_ip_string);
 
     # if we're not going to trust the upstream, reset these for security reasons
     unless ($trust) {
diff --git a/lib/Perlbal/Service.pm b/lib/Perlbal/Service.pm
index 0bb5bb7..50a5682 100644
--- a/lib/Perlbal/Service.pm
+++ b/lib/Perlbal/Service.pm
@@ -6,8 +6,6 @@ package Perlbal::Service;
 use strict;
 use warnings;
 
-use Net::Netmask;
-
 use Perlbal::BackendHTTP;
 
 use fields (
@@ -552,6 +550,21 @@ sub role {
     return $self->{role};
 }
 
+# called by BackendHTTP to ask if a client's IP is in our trusted list
+sub trusted_ip {
+    my Perlbal::Service $self = shift;
+    my $ip = shift;
+
+    return 1 if $self->{'always_trusted'};
+
+    my $tmap = $self->{trusted_upstreams};
+    return 0 unless $tmap;
+
+    # try to use it as a Net::Netmask object
+    return 1 if eval { $tmap->match($ip); };
+    return 0;
+}
+
 # manage some header stuff
 sub header_management {
     my Perlbal::Service $self = shift;
@@ -646,6 +659,9 @@ sub set {
     };
 
     if ($key eq 'trusted_upstream_proxies') {
+        my $loaded = eval { require Net::Netmask; 1; };
+        return $err->("Net::Netmask not installed") unless $loaded;
+
         if ($self->{trusted_upstreams} = Net::Netmask->new2($val)) {
             # set, all good
             return $ok->();