diff --git a/agenix/secrets.nix b/agenix/secrets.nix
index 49aba5e..a3119d1 100644
--- a/agenix/secrets.nix
+++ b/agenix/secrets.nix
@@ -5,4 +5,8 @@ let
 in
 {
   "ntfy.age".publicKeys = [ tuxcord-ca ] ++ builtins.attrValues users;
+
+  # tsig-keygen sub.domain.tld.
+  "dns/tuxcord.key".publicKeys = [ tuxcord-ca ] ++ [ users.error users.javalsai ];
+  # "dns/users/XXX.key".publicKeys = [ users.XXX ];
 }
diff --git a/nixos/common.nix b/nixos/common.nix
index 34fda88..51e88f5 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -28,6 +28,14 @@ in
     ./vm.nix
   ];
 
+  age.secrets = {
+    dns-root-key = {
+      file = ../agenix/dns/tuxcord.key;
+      group = "named";
+      owner = "named";
+    };
+  };
+
   nix = {
     package = inputs'.nix-super.packages.default;
 
@@ -97,7 +105,10 @@ in
 
     extraHosts =
       let
-        subdomains = [ "" ".git" ];
+        subdomains = [
+          ""
+          ".git"
+        ];
       in
       builtins.foldl' (
         hosts-acc: domain-prefix:
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index e8b7049..01c80d9 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -1,5 +1,6 @@
 {
   imports = [
+    ./dns.nix
     ./fail2ban.nix
     ./gitea.nix
     ./host.nix
diff --git a/nixos/modules/dns.nix b/nixos/modules/dns.nix
new file mode 100644
index 0000000..c36d4b1
--- /dev/null
+++ b/nixos/modules/dns.nix
@@ -0,0 +1,52 @@
+{ config, ... }:
+let
+  fqdn = "tuxcord.net";
+  # fqdn = config.networking.fqdn;
+
+  zonesub = _: "zonesub";
+  subdomain = name: "subdomain ${name}";
+
+  # careful, assumes the fqdn (name) matches the key name content
+  keys = [
+    {
+      name = "tuxcord.net";
+      path = config.age.secrets.dns-root-key.path;
+      type = zonesub;
+    }
+  ];
+in
+{
+  services.bind = {
+    enable = true;
+
+    extraConfig = builtins.concatStringsSep "\n" (map (key: "include \"${key.path}\";") keys);
+
+    zones = {
+      "${fqdn}" = {
+        # grant "tuxcord.net" zonesub ANY;
+        extraConfig = ''
+          update-policy {
+            ${builtins.concatStringsSep "\n" (
+              map (key: "grant \"${key.name}\" ${key.type key.name} ANY;") keys
+            )}
+          };
+        '';
+        file = "/var/dns/${fqdn}.zone"; # need to put default stuff
+        master = true;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ config.services.bind.listenOnPort ];
+  networking.firewall.allowedUDPPorts = [ config.services.bind.listenOnPort ];
+
+  environment.persistence."/persist" = {
+    directories = [
+      {
+        directory = "/var/dns";
+        group = "named";
+        user = "named";
+      }
+    ];
+  };
+}