diff --git a/doc/source/dns.rst b/doc/source/dns.rst
index 693709299d..84081b5da7 100644
--- a/doc/source/dns.rst
+++ b/doc/source/dns.rst
@@ -23,7 +23,16 @@ At a Glance
 Adding a Zone
 =============
 
-To add a new zone, add an entry to :file:`manifests/site.pp`, and
+To add a new zone, add an entry to :file:`manifests/site.pp`,
+:file:`modules/openstack_project/manifests/master_nameserver.pp` and
 create a new git repository to hold the contents of the zone.
 
+Run::
+
+  dnssec-keygen -a RSASHA256 -b 2048 -3 example.net
+  dnssec-keygen -a RSASHA256 -b 2048 -3 -fk example.net
+
+And add the resulting files to the `dnssec_keys` key in the
+`group/adns.yaml` private hiera file on puppetmaster.
+
 .. note:: This section will be expanded.
diff --git a/manifests/site.pp b/manifests/site.pp
index d1a83818d8..78aad1543d 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -825,6 +825,27 @@ node /^status\d*\.openstack\.org$/ {
   }
 }
 
+# This is a hidden authoritative master nameserver, not publicly
+# accessible.
+# Node-OS: xenial
+node /^adns\d+\.openstack\.org$/ {
+  $group = 'adns'
+
+  class { 'openstack_project::server':
+    sysadmins                 => hiera('sysadmins', []),
+    iptables_allowed_hosts    => [
+      {protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
+    ],
+  }
+
+  class { 'openstack_project::master_nameserver':
+    tsig_key => hiera('tsig_key', {}),
+    dnssec_keys => hiera_hash('dnssec_keys', {}),
+    notifies => dns_a('ns1.openstack.org'),
+  }
+}
+
+# These are publicly accessible authoritative slave nameservers.
 # Node-OS: xenial
 node /^ns\d+\.openstack\.org$/ {
   $group = 'ns'
diff --git a/modules.env b/modules.env
index 89c19c8ca5..351dbc5cf8 100644
--- a/modules.env
+++ b/modules.env
@@ -80,6 +80,7 @@ SOURCE_MODULES["https://github.com/rafaelfelix/puppet-pear"]="1.0.3"
 SOURCE_MODULES["https://github.com/saz/puppet-memcached"]="v2.6.0"
 SOURCE_MODULES["https://github.com/saz/puppet-timezone"]="v3.3.0"
 SOURCE_MODULES["https://github.com/stankevich/puppet-python"]="1.9.4"
+SOURCE_MODULES["https://github.com/theforeman/puppet-dns"]="4.1.0"
 SOURCE_MODULES["https://github.com/vamsee/puppet-solr"]="0.0.8"
 SOURCE_MODULES["https://github.com/voxpupuli/puppet-alternatives"]="0.3.0"
 SOURCE_MODULES["https://github.com/voxpupuli/puppet-archive"]="v0.5.1"
diff --git a/modules/openstack_project/files/puppetmaster/groups.txt b/modules/openstack_project/files/puppetmaster/groups.txt
index 6a4790b5d8..8356abd882 100644
--- a/modules/openstack_project/files/puppetmaster/groups.txt
+++ b/modules/openstack_project/files/puppetmaster/groups.txt
@@ -22,3 +22,5 @@ zuul-executor ~ze\d+\.openstack\.org
 grafana ~grafana\d*\.openstack\.org
 status ~status\d*\.openstack\.org
 paste ~paste\d*\.openstack\.org
+adns ~adns\d*\.openstack\.org
+ns ~ns\d*\.openstack\.org
diff --git a/modules/openstack_project/manifests/master_nameserver.pp b/modules/openstack_project/manifests/master_nameserver.pp
new file mode 100644
index 0000000000..21a1e969cc
--- /dev/null
+++ b/modules/openstack_project/manifests/master_nameserver.pp
@@ -0,0 +1,120 @@
+define openstack_project::master_zone (
+  $source = undef,
+) {
+  concat::fragment { "dns_zones+10_${name}.dns":
+    target  => $::dns::publicviewpath,
+    content => template('openstack_project/nameserver/bind.zone.erb'),
+    order   => "10-${name}",
+  }
+  file { "/var/lib/bind/zones/${name}":
+    ensure  => directory,
+    owner   => 'bind',
+    group   => 'bind',
+    mode    => 'u+rwX,g+rX,o+rX',
+    source  => $source,
+    recurse => remote,
+    require => File['/var/lib/bind/zones'],
+    notify  => Service[$::dns::namedservicename],
+  }
+  file { "/etc/bind/keys/${name}":
+    require => File['/etc/bind/keys'],
+    ensure  => directory,
+    owner   => 'root',
+    group   => 'bind',
+    mode    => '0750',
+  }
+}
+
+define openstack_project::dnssec_key (
+  $public = undef,
+  $private = undef,
+  $zone = undef,
+) {
+  file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.key":
+    ensure  => present,
+    content => $public,
+    owner   => 'root',
+    group   => 'bind',
+    mode    => '0440',
+    require => File["/etc/bind/keys/${zone}"],
+  }
+  file { "/etc/bind/keys/${zone}/K${zone}.+008+${name}.private":
+    ensure  => present,
+    content => $private,
+    owner   => 'root',
+    group   => 'bind',
+    mode    => '0440',
+    require => File["/etc/bind/keys/${zone}"],
+  }
+}
+
+define openstack_project::bind_key (
+  $key = undef,
+) {
+  file { "/etc/bind/${name}.key":
+    require => Package[$::dns::dns_server_package],
+    owner   => 'root',
+    group   => 'bind',
+    mode    => '0440',
+    content => template('openstack_project/nameserver/bind.key.erb'),
+  }
+}
+
+class openstack_project::master_nameserver (
+  $tsig_key = undef,
+  $dnssec_keys = undef,
+  $notifies = undef,
+) {
+
+  $also_notify = join($notifies, ';')
+
+  class { '::haveged': }
+
+  class { '::dns':
+    dns_notify         => yes,
+    listen_on_v6       => "${::ipaddress6}",
+    additional_directives => [
+      'include "/etc/bind/tsig.key";',
+    ],
+    additional_options => {
+      'listen-on' => "{ ${::ipaddress}; }",
+      # Notify requests can also be TSIG signed, but the current version
+      # of the NSD puppet module doesn't let us configure that easily.
+      'also-notify' => "{ ${also_notify}; }",
+      # Bind doesn't make it easy (or possible?) to restrict transfers by
+      # ip address and TSIG, so we only use the TSIG key here.
+      'allow-transfer' => "{ key tsig; }",
+    }
+  }
+
+  file { '/etc/bind/keys':
+    require => Package[$::dns::dns_server_package],
+    ensure  => directory,
+    owner   => 'root',
+    group   => 'bind',
+    mode    => '0750',
+  }
+  file { '/var/lib/bind/zones':
+    require => Package[$::dns::dns_server_package],
+    ensure  => directory,
+  }
+
+  openstack_project::bind_key { 'tsig':
+    key => $tsig_key,
+  }
+
+  create_resources(openstack_project::dnssec_key, $dnssec_keys)
+
+  # Per zone configuration
+  vcsrepo { '/opt/zone-zuul-ci.org':
+    ensure   => latest,
+    provider => git,
+    revision => 'master',
+    source   => 'https://git.openstack.org/openstack-infra/zone-zuul-ci.org',
+  }
+  openstack_project::master_zone { 'zuul-ci.org':
+    source  => 'file:///opt/zone-zuul-ci.org/zones/zuul-ci.org',
+    require => Vcsrepo['/opt/zone-zuul-ci.org'],
+  }
+
+}
diff --git a/modules/openstack_project/templates/nameserver/bind.key.erb b/modules/openstack_project/templates/nameserver/bind.key.erb
new file mode 100644
index 0000000000..d7b83fd18d
--- /dev/null
+++ b/modules/openstack_project/templates/nameserver/bind.key.erb
@@ -0,0 +1,4 @@
+key "<%= @name %>" {
+    algorithm <%= @key['algorithm'] %>;
+    secret "<%= @key['secret'] %>";
+};
diff --git a/modules/openstack_project/templates/nameserver/bind.zone.erb b/modules/openstack_project/templates/nameserver/bind.zone.erb
new file mode 100644
index 0000000000..c6d9b3156d
--- /dev/null
+++ b/modules/openstack_project/templates/nameserver/bind.zone.erb
@@ -0,0 +1,13 @@
+zone <%= @name %> {
+    type master;
+    file "/var/lib/bind/zones/<%= @name %>/zone.db";
+
+    # look for dnssec keys here:
+    key-directory "/etc/bind/keys/<%= @name %>";
+
+    # publish and activate dnssec keys:
+    auto-dnssec maintain;
+
+    # use inline signing:
+    inline-signing yes;
+};