Linode DNS Zone & Records

linode-domain

Complete Linode DNS zone (DNS Manager) with typed, declarative record management and sane TTL defaults. Master (authoritative) or slave (AXFR mirror) zones. Works with Terraform and OpenTofu (>= 1.6), Linode provider >= 3.14, < 4.0.

Status: static-validated, live-test pending. This module ships under live-test quarantine: it has passed tofu fmt, tofu validate, and tflint, but the real apply → verify → destroy gate is pending a Linode sandbox account. Treat the secure defaults below as the contract.

Design & secure defaults

• One declarative records map. Every record is a typed object validated at plan time — record_type is constrained to the supported set, CAA records must carry a valid tag, and SRV records must supply service, protocol, and port. No stringly-typed footguns.
• AXFR closed by default. axfr_ips is empty unless you explicitly run secondary nameservers — open zone transfer leaks your entire zone to anyone, so the module never opens it for you.
• Master/slave correctness enforced. A master zone must declare soa_email; a slave zone must declare master_ips. Both are checked with plan-time preconditions, not discovered at apply.
• CAA encouraged. The example pins certificate issuance to a single CA via a CAA record — a cheap, high-value control most zones omit.
• Sane TTLs. Zone and per-record TTLs default to 3600s; Linode rounds to its supported steps. The module surfaces Linode's authoritative nameservers as an output so you can complete delegation at your registrar.

Usage

module "zone" {
  source = "./linode-domain"

  domain    = "example.com"
  soa_email = "[email protected]"

  records = {
    apex_a    = { record_type = "A", name = "", target = "192.0.2.10" }
    www_cname = { record_type = "CNAME", name = "www", target = "example.com" }
    mail_mx   = { record_type = "MX", name = "", target = "mail.example.com", priority = 10 }
    le_caa    = { record_type = "CAA", name = "", target = "letsencrypt.org", tag = "issue" }
  }
}

Inputs

Name	Type	Default	Description
domain	string	—	Zone apex FQDN, e.g. example.com (required)
type	string	"master"	master or slave
soa_email	string	null	Admin contact (required for master zones)
description	string	"Managed by Terraform (IaC Bazaar)."	DNS Manager description
status	string	"active"	active, disabled, or edit_mode
master_ips	list(string)	[]	Master nameserver IPs (required for slave)
axfr_ips	list(string)	[]	IPs allowed to AXFR (kept empty by default)
ttl_sec	number	3600	Default zone TTL (0 = Linode default)
refresh_sec / retry_sec / expire_sec	number	0	SOA timers (0 = Linode default)
tags	list(string)	[]	Zone tags
records	map(object)	{}	DNS records (see below)

Each records entry: record_type (A/AAAA/CNAME/MX/TXT/NS/PTR/SRV/CAA, required), name (relative to the zone; ""/@ = apex; omitted for SRV), target (required), ttl_sec (default 3600), priority (MX/SRV), weight + port + service + protocol (SRV), tag (CAA: issue/issuewild/iodef).

Outputs

Name	Description
domain_id	DNS zone ID
domain	Zone domain name
type	Zone type
status	Serving status
record_ids	record key => record ID
nameservers	Linode authoritative NS (set these at your registrar)

Requirements

• Terraform or OpenTofu >= 1.6
• linode/linode provider >= 3.14, < 4.0
• DNS Manager is free, but Linode only serves a zone while the account has at least one active Linode service. Delegate the domain at your registrar to the nameservers output.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).