diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml
index 6ad7f06..e88e7e9 100644
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -2,7 +2,9 @@ name: Deploy DNS Records
 on:
   push:
     branches: [main]
-    paths: [records.yaml]
+    paths:
+      - records.yaml
+      - svc-records.yaml
 
 jobs:
   deploy:
@@ -28,7 +30,7 @@ jobs:
             sudo install kubectl /usr/local/bin/kubectl
           fi
 
-      - name: Generate and apply CoreDNS configmap
+      - name: Apply internal CoreDNS records
         run: |
           cd dns-records
           chmod +x generate.sh
@@ -37,4 +39,15 @@ jobs:
           kubectl apply -f /tmp/coredns-custom.yaml
           kubectl rollout restart deployment/coredns -n kube-system
           kubectl rollout status deployment/coredns -n kube-system --timeout=60s
-          echo "DNS records applied successfully"
+          echo "Internal DNS records applied"
+
+      - name: Apply authoritative zone records
+        run: |
+          cd dns-records
+          chmod +x generate-zone.sh
+          ./generate-zone.sh svc-records.yaml > /tmp/coredns-auth-zone.yaml
+          cat /tmp/coredns-auth-zone.yaml
+          kubectl apply -f /tmp/coredns-auth-zone.yaml
+          kubectl rollout restart deployment/coredns-auth -n authoritative-dns
+          kubectl rollout status deployment/coredns-auth -n authoritative-dns --timeout=60s
+          echo "Authoritative zone records applied"
diff --git a/generate-zone.sh b/generate-zone.sh
new file mode 100755
index 0000000..367dfd6
--- /dev/null
+++ b/generate-zone.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Generates authoritative zone ConfigMap for svc.n0ball.tw from svc-records.yaml
+# Usage: ./generate-zone.sh svc-records.yaml > coredns-auth-zone.yaml
+set -e
+
+RECORDS_FILE="${1:-svc-records.yaml}"
+SERIAL=$(date +%Y%m%d%H)
+
+cat <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-auth-zone
+  namespace: authoritative-dns
+data:
+  svc.n0ball.tw.zone: |
+    \$ORIGIN svc.n0ball.tw.
+    @   3600 IN SOA ns1.n0ball.tw. admin.n0ball.tw. (
+        ${SERIAL} ; serial
+        3600       ; refresh
+        600        ; retry
+        86400      ; expire
+        60         ; minimum
+    )
+    @   3600 IN NS ns1.n0ball.tw.
+    @   3600 IN NS ns2.n0ball.tw.
+EOF
+
+awk '
+/^[a-zA-Z0-9]/ && / IN / {
+  printf "    %s\n", $0
+}
+' "$RECORDS_FILE"
diff --git a/svc-records.yaml b/svc-records.yaml
new file mode 100644
index 0000000..c4e2248
--- /dev/null
+++ b/svc-records.yaml
@@ -0,0 +1,7 @@
+## External DNS Records for svc.n0ball.tw zone
+## Format: name: IP
+## These are served authoritatively to the internet.
+## Push to main to apply changes automatically.
+
+# Example:
+# test 60 IN A 140.115.16.135