Linode DNS Zone & Records
Complete DNS zone with typed record management and sane TTL defaults on Linode's free DNS Manager.
Verification
Static-verifiedPassed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).
Conformance
- Static validation (fmt · validate · tflint)
- Security scan: findings disclosed (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live test pending (no cloud run yet)
Last verified 2026-06-28 · how we verify
Documentation
linode-domain
Complete Linode DNS zone (DNS Manager) with typed, declarative record
management and sane TTL defaults. Master (authoritative) or slave (AXFR
mirror) zones. Works with Terraform and OpenTofu (>= 1.6), Linode
provider >= 3.14, < 4.0.
Status: static-validated, live-test pending. This module ships under live-test quarantine: it has passed
tofu fmt,tofu validate, andtflint, but the real apply → verify → destroy gate is pending a Linode sandbox account. Treat the secure defaults below as the contract.
Design & secure defaults
- One declarative
recordsmap. Every record is a typed object validated at plan time —record_typeis constrained to the supported set, CAA records must carry a validtag, and SRV records must supplyservice,protocol, andport. No stringly-typed footguns. - AXFR closed by default.
axfr_ipsis empty unless you explicitly run secondary nameservers — open zone transfer leaks your entire zone to anyone, so the module never opens it for you. - Master/slave correctness enforced. A master zone must declare
soa_email; a slave zone must declaremaster_ips. Both are checked with plan-time preconditions, not discovered at apply. - CAA encouraged. The example pins certificate issuance to a single CA via a CAA record — a cheap, high-value control most zones omit.
- Sane TTLs. Zone and per-record TTLs default to 3600s; Linode rounds to its supported steps. The module surfaces Linode's authoritative nameservers as an output so you can complete delegation at your registrar.
Usage
module "zone" {
source = "./linode-domain"
domain = "example.com"
soa_email = "[email protected]"
records = {
apex_a = { record_type = "A", name = "", target = "192.0.2.10" }
www_cname = { record_type = "CNAME", name = "www", target = "example.com" }
mail_mx = { record_type = "MX", name = "", target = "mail.example.com", priority = 10 }
le_caa = { record_type = "CAA", name = "", target = "letsencrypt.org", tag = "issue" }
}
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
domain | string | — | Zone apex FQDN, e.g. example.com (required) |
type | string | "master" | master or slave |
soa_email | string | null | Admin contact (required for master zones) |
description | string | "Managed by Terraform (IaC Bazaar)." | DNS Manager description |
status | string | "active" | active, disabled, or edit_mode |
master_ips | list(string) | [] | Master nameserver IPs (required for slave) |
axfr_ips | list(string) | [] | IPs allowed to AXFR (kept empty by default) |
ttl_sec | number | 3600 | Default zone TTL (0 = Linode default) |
refresh_sec / retry_sec / expire_sec | number | 0 | SOA timers (0 = Linode default) |
tags | list(string) | [] | Zone tags |
records | map(object) | {} | DNS records (see below) |
Each records entry: record_type (A/AAAA/CNAME/MX/TXT/NS/PTR/SRV/CAA,
required), name (relative to the zone; ""/@ = apex; omitted for SRV),
target (required), ttl_sec (default 3600), priority (MX/SRV), weight +
port + service + protocol (SRV), tag (CAA: issue/issuewild/iodef).
Outputs
| Name | Description |
|---|---|
domain_id | DNS zone ID |
domain | Zone domain name |
type | Zone type |
status | Serving status |
record_ids | record key => record ID |
nameservers | Linode authoritative NS (set these at your registrar) |
Requirements
- Terraform or OpenTofu
>= 1.6 linode/linodeprovider>= 3.14, < 4.0- DNS Manager is free, but Linode only serves a zone while the account has
at least one active Linode service. Delegate the domain at your registrar to
the
nameserversoutput.
License
Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work
(not derived from a third-party module).