Managing BIND9 DNS zone files manually doesn't scale. Every change means SSH-ing into a server, editing config files, and hoping you don't break DNS resolution for your entire infrastructure.
I built an open-source stack that turns BIND9 management into proper Infrastructure as Code. Here's what the stack looks like:
The Architecture
The solution has three components that work together:
bind9-api — A REST API that sits on top of BIND9, providing HTTP endpoints for zone management, record CRUD, ACL management, DNSSEC, and more.
Terraform Provider for BIND9 — A Terraform/OpenTofu provider that talks to the API, letting you manage DNS zones and records as code with full plan/apply workflow.
Ansible Role — Handles the one-time deployment of both BIND9 and the API on your servers.
The key design decision: Ansible manages infrastructure (installing BIND9, deploying the API) while Terraform manages content (zones, records, ACLs). Each tool does what it's best at.
What You Can Do
- Manage 30+ DNS record types (A, AAAA, CNAME, MX, TXT, SRV, CAA, and more)
- Single-server or multi-primary architectures
- DNSSEC key management (KSK, ZSK, CSK)
- ACL management as code
- Bulk record generation using Terraform's
for_eachandrange() - Prometheus metrics for monitoring
Getting Started
The full walkthrough with architecture diagrams, code examples, and step-by-step setup is in the blog post on Dev Genius:
Read the full article on Medium
All three projects are open source under Apache 2.0. Contributions and feedback welcome!
Top comments (0)