diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml
new file mode 100644
index 0000000..25b3de1
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/auth-dns.yaml
@@ -0,0 +1,2 @@
+---
+deploy_systemd_resolved_config__enable: false
diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml
index e032782..130d914 100644
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@@ -101,3 +101,8 @@
 
 - name: Run ensure_eh22_styleguide_dir Playbook
   ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
+
+- name: Setup authoritative dns servers
+  hosts: auth-dns
+  roles:
+    - auth-dns
diff --git a/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
new file mode 100644
index 0000000..7ebc230
--- /dev/null
+++ b/resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2
@@ -0,0 +1,13 @@
+# Links & Resources
+# https://www.knot-dns.cz/docs/latest/html/index.html
+
+services:
+  knot:
+    image: docker.io/cznic/knot:v3.5.4
+    restart: unless-stopped
+    command: "knotd"
+    network_mode: host
+    volumes:
+      - ./configs:/config:ro
+      - ./storage:/storage
+
diff --git a/roles/auth-dns/handlers/main.yaml b/roles/auth-dns/handlers/main.yaml
new file mode 100644
index 0000000..5ee0a5d
--- /dev/null
+++ b/roles/auth-dns/handlers/main.yaml
@@ -0,0 +1,8 @@
+- tags: [ 02-auth-dns ]
+  name: restart knot
+  become: true
+  notify: restart knot
+  ansible.builtin.systemd:
+    name: knot.service
+    state: restarted
+
diff --git a/roles/auth-dns/tasks/01-install.yaml b/roles/auth-dns/tasks/01-install.yaml
new file mode 100644
index 0000000..e3a66e3
--- /dev/null
+++ b/roles/auth-dns/tasks/01-install.yaml
@@ -0,0 +1,6 @@
+- tags: [ auth-dns ]
+  name: Install knot
+  become: true
+  package:
+    name: [ knot, knot-exporter ]
+
diff --git a/roles/auth-dns/tasks/02-configure.yaml b/roles/auth-dns/tasks/02-configure.yaml
new file mode 100644
index 0000000..6577a79
--- /dev/null
+++ b/roles/auth-dns/tasks/02-configure.yaml
@@ -0,0 +1,11 @@
+- tags: [ auth-dns ]
+  name: Deploy knot configuration file
+  become: true
+  notify: restart knot
+  template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    group: knot
+    mode: u=rw,g=r,o=
+
diff --git a/roles/auth-dns/tasks/main.yaml b/roles/auth-dns/tasks/main.yaml
new file mode 100644
index 0000000..8bf981f
--- /dev/null
+++ b/roles/auth-dns/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: 01-install.yaml
+- import_tasks: 02-configure.yaml
diff --git a/roles/auth-dns/templates/knot.conf.j2 b/roles/auth-dns/templates/knot.conf.j2
new file mode 100644
index 0000000..d0e5a5a
--- /dev/null
+++ b/roles/auth-dns/templates/knot.conf.j2
@@ -0,0 +1,64 @@
+# {{ ansible_managed }}
+# See knot.conf(5) or refer to the server documentation.
+
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ "0.0.0.0@53", "::@53" ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+key:
+  - id: auth-dns.hamburg.ccc.de
+    algorithm: hmac-sha512
+    secret: ""
+
+remote:
+  - id: quad9
+    address: "2620:fe::fe"
+
+# define how the presence of parent KSK keys is checked
+# in this case, we just ask quad9 which is an open resolver
+submission:
+  - id: default
+    parent: quad9
+    parent-delay: 1h
+
+# define how dnssec signing is done
+# in this case we don't do anything special but teach knot how to check of KSK presence
+policy:
+  - id: default
+    ksk-submission: default
+    nsec3: true
+    nsec3-salt-length: 0
+
+# define default settings that apply to all zones
+template:
+  - id: default
+    storage: "/etc/knot/zones"
+    file: "%s.zone"
+    semantic-checks: on
+    zonefile-sync: -1
+    zonefile-load: difference-no-serial
+    journal-content: all
+    default-ttl: 60
+    catalog-role: member
+    catalog-zone: hamburg.ccc.de.catalog.
+    dnssec-signing: on
+    dnssec-policy: default
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+  - id: minimal
+    {# notify: ["ns1.hanse.de", "ns.bsd.network."] #}
+
+zone:
+  {# - domain: onsite.eurofurence.catalog. #}
+    {# template: minimal #}
+    {# catalog-role: generate #}
+  {# - domain: "onsite.eurofurence.org" #}