diff --git a/k8s/infrastructure/authoritative-dns/ci-rbac.yaml b/k8s/infrastructure/authoritative-dns/ci-rbac.yaml
new file mode 100644
index 0000000..e9779a2
--- /dev/null
+++ b/k8s/infrastructure/authoritative-dns/ci-rbac.yaml
@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: dns-zone-editor
+  namespace: authoritative-dns
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["coredns-auth-zone"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    resourceNames: ["coredns-auth"]
+    verbs: ["get", "list", "watch", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: coredns-ci-zone-editor
+  namespace: authoritative-dns
+subjects:
+  - kind: ServiceAccount
+    name: coredns-ci
+    namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: dns-zone-editor
diff --git a/k8s/infrastructure/authoritative-dns/deployment.yaml b/k8s/infrastructure/authoritative-dns/deployment.yaml
new file mode 100644
index 0000000..3cf2ce8
--- /dev/null
+++ b/k8s/infrastructure/authoritative-dns/deployment.yaml
@@ -0,0 +1,91 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authoritative-dns
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-auth-corefile
+  namespace: authoritative-dns
+data:
+  Corefile: |
+    svc.n0ball.tw:5353 {
+      file /etc/coredns-zone/svc.n0ball.tw.zone
+      log
+      errors
+    }
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-auth-zone
+  namespace: authoritative-dns
+data:
+  svc.n0ball.tw.zone: |
+    $ORIGIN svc.n0ball.tw.
+    @   3600 IN SOA ns1.n0ball.tw. admin.n0ball.tw. (
+        2026031001 ; serial
+        3600       ; refresh
+        600        ; retry
+        86400      ; expire
+        60         ; minimum
+    )
+    @   3600 IN NS ns1.n0ball.tw.
+    @   3600 IN NS ns2.n0ball.tw.
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coredns-auth
+  namespace: authoritative-dns
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: coredns-auth
+  template:
+    metadata:
+      labels:
+        app: coredns-auth
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: coredns-auth
+              topologyKey: kubernetes.io/hostname
+      tolerations:
+        - key: "node-role.kubernetes.io/control-plane"
+          operator: "Exists"
+          effect: "NoSchedule"
+      containers:
+        - name: coredns
+          image: coredns/coredns:1.12.0
+          args: ["-conf", "/etc/coredns/Corefile"]
+          ports:
+            - containerPort: 5353
+              hostPort: 53
+              protocol: UDP
+            - containerPort: 5353
+              hostPort: 53
+              protocol: TCP
+          volumeMounts:
+            - name: corefile
+              mountPath: /etc/coredns
+            - name: zone
+              mountPath: /etc/coredns-zone
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              memory: 64Mi
+      volumes:
+        - name: corefile
+          configMap:
+            name: coredns-auth-corefile
+        - name: zone
+          configMap:
+            name: coredns-auth-zone
diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml
index caf78b3..5928b8a 100644
--- a/k8s/infrastructure/kustomization.yaml
+++ b/k8s/infrastructure/kustomization.yaml
@@ -12,3 +12,5 @@ resources:
   - oidc-rbac.yaml
   - coredns-custom.yaml
   - coredns-ci-rbac.yaml
+  - authoritative-dns/deployment.yaml
+  - authoritative-dns/ci-rbac.yaml