diff --git a/doc/source/dns.rst b/doc/source/dns.rst
index 4427523144..23be238633 100644
--- a/doc/source/dns.rst
+++ b/doc/source/dns.rst
@@ -6,18 +6,27 @@ DNS
 ###
 
 The project runs authoritative DNS servers for any constituent
-projects that wish to use them.  The servers run Bind on a hidden
-master which handles automatic DNSSEC zone signing while the public
-authoritative servers run NSD.
+projects that wish to use them.
+
+Bind is run on a hidden master (`adns01.opendev.org`) which handles
+automatic DNSSEC zone signing.  Any changes to the zone files are
+deployed here.
+
+Secondary public authoritative servers run NSD and take zone transfers
+from the hidden primary.  These are published in the NS records for
+the managed zones.
 
 At a Glance
 ===========
 
 :Hosts:
+  * adns01.opendev.org
   * ns1.opendev.org
   * ns2.opendev.org
 :Ansible:
-  * :git_file:`inventory/service/group_vars/dns.yaml`
+  * :git_file:`inventory/service/group_vars/adns.yaml`
+  * :git_file:`inventory/service/group_vars/adns-primary.yaml`
+  * :git_file:`inventory/service/group_vars/adns-secondary.yaml`
 :Projects:
   * https://www.nlnetlabs.nl/projects/nsd/
   * https://www.isc.org/downloads/bind/doc/
diff --git a/inventory/service/group_vars/adns-primary.yaml b/inventory/service/group_vars/adns-primary.yaml
new file mode 100644
index 0000000000..a6c401a82c
--- /dev/null
+++ b/inventory/service/group_vars/adns-primary.yaml
@@ -0,0 +1,17 @@
+dns_repos:
+  - name: zone-opendev.org
+    url: https://opendev.org/opendev/zone-opendev.org
+  - name: zone-zuul-ci.org
+    url: https://opendev.org/opendev/zone-zuul-ci.org
+  - name: zone-gating.dev
+    url: https://opendev.org/opendev/zone-gating.dev
+dns_notify:
+  - 104.239.140.165
+  - 162.253.55.16
+iptables_extra_allowed_hosts:
+  - protocol: tcp
+    port: 53
+    hostname: ns1.opendev.org
+  - protocol: tcp
+    port: 53
+    hostname: ns2.opendev.org
diff --git a/inventory/service/group_vars/ns.yaml b/inventory/service/group_vars/adns-secondary.yaml
similarity index 100%
rename from inventory/service/group_vars/ns.yaml
rename to inventory/service/group_vars/adns-secondary.yaml
diff --git a/inventory/service/group_vars/adns.yaml b/inventory/service/group_vars/adns.yaml
index a6c401a82c..27e0cdf358 100644
--- a/inventory/service/group_vars/adns.yaml
+++ b/inventory/service/group_vars/adns.yaml
@@ -1,17 +1,12 @@
-dns_repos:
-  - name: zone-opendev.org
-    url: https://opendev.org/opendev/zone-opendev.org
-  - name: zone-zuul-ci.org
-    url: https://opendev.org/opendev/zone-zuul-ci.org
-  - name: zone-gating.dev
-    url: https://opendev.org/opendev/zone-gating.dev
-dns_notify:
-  - 104.239.140.165
-  - 162.253.55.16
-iptables_extra_allowed_hosts:
-  - protocol: tcp
-    port: 53
-    hostname: ns1.opendev.org
-  - protocol: tcp
-    port: 53
-    hostname: ns2.opendev.org
+dns_zones:
+  - name: gating.dev
+    source: zone-gating.dev/zones/gating.dev/
+  - name: opendev.org
+    source: zone-opendev.org/zones/opendev.org/
+  - name: acme.opendev.org
+    source: zone-opendev.org/zones/acme.opendev.org/
+    unmanaged: True
+  - name: zuul-ci.org
+    source: zone-zuul-ci.org/zones/zuul-ci.org/
+  - name: zuulci.org
+    source: zone-zuul-ci.org/zones/zuulci.org/
diff --git a/inventory/service/group_vars/dns.yaml b/inventory/service/group_vars/dns.yaml
deleted file mode 100644
index 27e0cdf358..0000000000
--- a/inventory/service/group_vars/dns.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-dns_zones:
-  - name: gating.dev
-    source: zone-gating.dev/zones/gating.dev/
-  - name: opendev.org
-    source: zone-opendev.org/zones/opendev.org/
-  - name: acme.opendev.org
-    source: zone-opendev.org/zones/acme.opendev.org/
-    unmanaged: True
-  - name: zuul-ci.org
-    source: zone-zuul-ci.org/zones/zuul-ci.org/
-  - name: zuulci.org
-    source: zone-zuul-ci.org/zones/zuulci.org/
diff --git a/inventory/service/groups.yaml b/inventory/service/groups.yaml
index 0d669f71b2..eee3c04ebe 100644
--- a/inventory/service/groups.yaml
+++ b/inventory/service/groups.yaml
@@ -1,6 +1,10 @@
 plugin: yamlgroup
 groups:
-  adns: adns*.open*.org
+  adns:
+    - adns*.opendev.org
+    - ns*.opendev.org
+  adns-primary: adns*.opendev.org
+  adns-secondary: ns*.opendev.org
   afs-server-common:
     - afs[0-9]*.openstack.org
     - afsdb[0-9]*.openstack.org
@@ -51,9 +55,6 @@ groups:
   control-plane-clouds:
     - bridge*.open*.org
   disabled: []
-  dns:
-    - adns*.opendev.org
-    - ns*.opendev.org
   eavesdrop: eavesdrop[0-9]*.opendev.org
   etherpad: etherpad[0-9]*.opendev.org
   gitea:
@@ -123,8 +124,6 @@ groups:
     - nb[0-9]*.opendev.org
   nodepool-launcher:
     - nl[0-9]*.open*.org
-  ns:
-    - ns[0-9]*.open*.org
   paste:
     - paste[0-9]*.opendev.org
   puppet:
diff --git a/playbooks/letsencrypt.yaml b/playbooks/letsencrypt.yaml
index a002728603..f6633323ca 100644
--- a/playbooks/letsencrypt.yaml
+++ b/playbooks/letsencrypt.yaml
@@ -9,7 +9,7 @@
   roles:
     - letsencrypt-acme-sh-install
     - letsencrypt-request-certs
-- hosts: "adns:!disabled"
+- hosts: "adns-primary:!disabled"
   name: "Install txt records"
   roles:
     - letsencrypt-install-txt-record
diff --git a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
index 88bc092886..fa6babbb27 100644
--- a/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
+++ b/playbooks/roles/install-ansible/files/inventory_plugins/test-fixtures/results.yaml
@@ -5,7 +5,11 @@ results:
 
   adns1.opendev.org:
     - adns
-    - dns
+    - adns-primary
+
+  ns1.opendev.org:
+    - adns
+    - adns-secondary
 
   afs01.dfw.openstack.org:
     - afs-server-common
diff --git a/playbooks/service-nameserver.yaml b/playbooks/service-nameserver.yaml
index 508dc93a8f..fbc1ae0a53 100644
--- a/playbooks/service-nameserver.yaml
+++ b/playbooks/service-nameserver.yaml
@@ -1,11 +1,11 @@
-- hosts: adns:!disabled
-  name: "Base: configure adns server"
+- hosts: adns-primary:!disabled
+  name: "Base: configure primary authoritative nameserver"
   roles:
     - iptables
     - master-nameserver
 
-- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
-  name: "Base: configure authoritative nameservers"
+- hosts: "adns-secondary:!disabled"
+  name: "Base: configure secondary authoritative nameservers"
   roles:
     - iptables
     - nameserver
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 60687855a3..bf6e21e65d 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -114,11 +114,11 @@
         dest: "/etc/ansible/hosts/{{ item }}"
       loop:
         - group_vars/all.yaml
-        - group_vars/adns.yaml
+        - group_vars/adns-primary.yaml
+        - group_vars/adns-secondary.yaml
         - group_vars/bastion.yaml
         - group_vars/eavesdrop.yaml
         - group_vars/nodepool.yaml
-        - group_vars/ns.yaml
         - group_vars/registry.yaml
         - group_vars/gitea.yaml
         - group_vars/gitea-lb.yaml
diff --git a/playbooks/zuul/templates/group_vars/adns.yaml.j2 b/playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
similarity index 100%
rename from playbooks/zuul/templates/group_vars/adns.yaml.j2
rename to playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
diff --git a/playbooks/zuul/templates/group_vars/ns.yaml.j2 b/playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
similarity index 100%
rename from playbooks/zuul/templates/group_vars/ns.yaml.j2
rename to playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
diff --git a/zuul.d/infra-prod.yaml b/zuul.d/infra-prod.yaml
index a3d12deb5f..98361ff79e 100644
--- a/zuul.d/infra-prod.yaml
+++ b/zuul.d/infra-prod.yaml
@@ -152,7 +152,8 @@
       - inventory/base
       - playbooks/service-nameserver.yaml
       - inventory/service/group_vars/adns.yaml
-      - inventory/service/group_vars/ns.yaml
+      - inventory/service/group_vars/adns-primary.yaml
+      - inventory/service/group_vars/adns-secondary.yaml
       - playbooks/roles/master-nameserver/
       - playbooks/roles/nameserver/
       - playbooks/roles/iptables/
diff --git a/zuul.d/system-config-run.yaml b/zuul.d/system-config-run.yaml
index 3aba631009..75c164da14 100644
--- a/zuul.d/system-config-run.yaml
+++ b/zuul.d/system-config-run.yaml
@@ -440,10 +440,11 @@
           '/var/lib/bind/zones': logs
     files:
       - playbooks/bootstrap-bridge.yaml
+      - inventory/service/group_vars/adns-primary.yaml
+      - inventory/service/group_vars/adns-secondary.yaml
       - inventory/service/group_vars/adns.yaml
-      - inventory/service/group_vars/dns.yaml
-      - playbooks/zuul/templates/group_vars/adns.yaml.j2
-      - playbooks/zuul/templates/group_vars/ns.yaml.j2
+      - playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
+      - playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
       - playbooks/roles/master-nameserver/
       - playbooks/roles/nameserver/
       - testinfra/test_adns.py