diff --git a/host_vars/dnspri.universe.local.yml b/host_vars/dnspri.universe.local.yml
new file mode 100644
index 0000000..7a0fb92
--- /dev/null
+++ b/host_vars/dnspri.universe.local.yml
@@ -0,0 +1,2 @@
+powerdns_server: True
+powerdns_primary: True
\ No newline at end of file
diff --git a/host_vars/dnssec1.universe.local.yml b/host_vars/dnssec1.universe.local.yml
new file mode 100644
index 0000000..2155a80
--- /dev/null
+++ b/host_vars/dnssec1.universe.local.yml
@@ -0,0 +1,3 @@
+powerdns-server: True
+powerdns-primary: False
+powerdns-secondary: True
diff --git a/host_vars/dnssec2.universe.local.yml b/host_vars/dnssec2.universe.local.yml
new file mode 120000
index 0000000..a82f5a2
--- /dev/null
+++ b/host_vars/dnssec2.universe.local.yml
@@ -0,0 +1 @@
+dnssec1.universe.local.yml
\ No newline at end of file
diff --git a/hosts b/hosts
index c8c81cd..6e83d6d 100644
--- a/hosts
+++ b/hosts
@@ -119,6 +119,9 @@ tuxedo-book-xp1511.universe.local
 
 [nameserver]
 coruscant.universe.local
+dnspri1.universe.local
+dnssec1.universe.local
+dnssec2.universe.local
 mewimeet.de
 mewitoot.de
 ns1.universe.local
diff --git a/roles/database/tasks/install_mysql.yml b/roles/database/tasks/install_mysql.yml
index d972aaf..b877fd0 100644
--- a/roles/database/tasks/install_mysql.yml
+++ b/roles/database/tasks/install_mysql.yml
@@ -1,2 +1,12 @@
 - debug:
-    msg: "mysql: {{ mysql }}"
\ No newline at end of file
+    msg: "mysql: {{ mysql }}"
+
+- name: database | mariadb | install mariadb packages
+  package:
+    name: "{{ item.package }}"
+    update_cache: yes
+    cache_valid_time: 3600
+    state: present
+    install_recommends: no
+  become: yes
+  with_items: "{{ mysql_pkgs.packages }}"
\ No newline at end of file
diff --git a/roles/database/vars/debian.yml b/roles/database/vars/debian.yml
index 1f75b2f..164cddc 100644
--- a/roles/database/vars/debian.yml
+++ b/roles/database/vars/debian.yml
@@ -3,6 +3,10 @@ redis_pkgs:
     - package: "redis-server"
     - package: "redis-tools"
 
+mysql_pkgs:
+  packages:
+    - package: "mariadb-server"
+
 postgres_pkgs:
   packages:
     - package: "libpq-dev"
diff --git a/roles/database/vars/ubuntu.yml b/roles/database/vars/ubuntu.yml
index 1f75b2f..164cddc 100644
--- a/roles/database/vars/ubuntu.yml
+++ b/roles/database/vars/ubuntu.yml
@@ -3,6 +3,10 @@ redis_pkgs:
     - package: "redis-server"
     - package: "redis-tools"
 
+mysql_pkgs:
+  packages:
+    - package: "mariadb-server"
+
 postgres_pkgs:
   packages:
     - package: "libpq-dev"
diff --git a/roles/nameserver/tasks/configure_powerdns_server_snmpd.yml b/roles/nameserver/tasks/configure_powerdns_server_snmpd.yml
new file mode 100644
index 0000000..0ff3b44
--- /dev/null
+++ b/roles/nameserver/tasks/configure_powerdns_server_snmpd.yml
@@ -0,0 +1,27 @@
+- name: "Nameserver: powerdns-server | snmpd | get script"
+  get_url:
+    url: "https://github.com/librenms/librenms-agent/raw/master/snmp/powerdns.py"
+    dest: "/etc/snmp/powerdns.py"
+    mode: "0755"
+    owner: "root"
+    group: "root"
+
+- name: "Nameserver: powerdns-server | snmpd | remove bind script"
+  file:
+    path: "/etc/snmp/bind"
+    state: absent
+
+- name: "Nameserver: powerdns-server | snmpd | configure extend"
+  lineinfile:
+    path: "{{ snmpd_conf }}"
+    state: present
+    line: "extend powerdns {{ sudo }} /etc/snmp/powerdns.py"
+    insertafter: "# SECTION: Extends"
+  notify: restart_snmpd
+
+- name: "Nameserver: powerdns-server | snmpd | remove bind extend"
+  lineinfile:
+    path: "{{ snmpd_conf }}"
+    state: absent # not required. choices: absent;present. Whether the line should be there or not.
+    line: "extend unbound {{ sudo }} /etc/snmp/bind"
+  notify: restart_snmpd
diff --git a/roles/nameserver/tasks/install_powerdns_server.yml b/roles/nameserver/tasks/install_powerdns_server.yml
new file mode 100644
index 0000000..e82b20e
--- /dev/null
+++ b/roles/nameserver/tasks/install_powerdns_server.yml
@@ -0,0 +1,59 @@
+- name: nameserver | powerdns-server | install packages
+  package:
+    name: "{{ powerdns_server_package }}"
+    state: present
+
+- name: nameserver | powerdns-server | install backends
+  package:
+    name: "{{ item.package }}"
+    state: latest
+  with_items: "{{ powerdns_backends }}"
+
+- name: nameserver | powerdns-server | install and configure database
+  block:
+    - set_fact:
+      key_value: mysql=True
+    - include_role:
+      name: database # required. The name of the role to be executed.
+    - name: nameserver | powerdns-server | create database
+      mysql_db:
+        name: "{{ pdns_db_name }}" # required. name of the database to add or remove. I(name=all) May only be provided if I(state) is C(dump) or C(import). List of databases is provided with I(state=dump), I(state=present) and I(state=absent). if name=all Works like --all-databases option for mysqldump (Added in 2.0).
+        state: present # not required. choices: present;absent;dump;import. The database state
+        encoding: "utf8" # not required. Encoding mode to use, examples include C(utf8) or C(latin1_swedish_ci)
+    - name: nameserver | powerdns-server | import database
+      mysql_db:
+        name: "{{ pdns_db_name }}"
+        state: import
+        target: "{{ pdns_mysql_schema }}" # not required. Location, on the remote host, of the dump file to read from or write to. Uncompressed SQL files (C(.sql)) as well as bzip2 (C(.bz2)), gzip (C(.gz)) and xz (Added in 2.0) compressed files are supported.
+    - name: nameserver | powerdns-server | create database user
+      mysql_user:
+        name: "{{ pdns_db_user }}" # required. Name of the user (role) to add or remove.
+        password: "{{ pdns_db_passwd }}" # not required. Set the user's password..
+        host: localhost
+        priv: "{{ pdns_db_name }}.*:ALL" # not required. MySQL privileges string in the format: C(db.table:priv1,priv2). Multiple privileges can be specified by separating each one using a forward slash: C(db.table:priv/db.table:priv). The format is based on MySQL C(GRANT) statement. Database and table names can be quoted, MySQL-style. If column privileges are used, the C(priv1,priv2) part must be exactly as returned by a C(SHOW GRANT) statement. If not followed, the module will always report changes. It includes grouping columns by permission (C(SELECT(col1,col2)) instead of C(SELECT(col1),SELECT(col2))).
+        append_privs: False # not required. Append the privileges defined by priv to the existing ones for this user instead of overwriting existing ones.
+        sql_log_bin: True # not required. Whether binary logging should be enabled or disabled for the connection.
+        state: present # not required. choices: absent;present. Whether the user should exist. When C(absent), removes the user.
+        update_password: on_create # not required. choices: always;on_create. C(always) will update passwords if they differ. C(on_create) will only set the password for newly created users.
+    - name: nameserver | powerdns-server | copy config
+      template:
+        src: "powerdns-server-pri-mysql-config.j2"
+        dest: "/etc/powerdns/pdns.d/mysql.conf"
+        mode: "0644"
+        owner: "root"
+        group: "root"
+  when:
+    - powerdns_primary is defined
+    - powerdns_primary is true
+
+- name: nameserver | powerdns-recursor | disable bind
+  service:
+    name: "named"
+    state: stopped
+    enabled: False
+
+- name: nameserver | powerdns-recursor | enable service
+  service:
+    name: "pdns"
+    state: started
+    enabled: True
diff --git a/roles/nameserver/tasks/main.yml b/roles/nameserver/tasks/main.yml
index 3b42e7c..b220ad4 100644
--- a/roles/nameserver/tasks/main.yml
+++ b/roles/nameserver/tasks/main.yml
@@ -38,7 +38,18 @@
     when:
       - bind is defined
       - bind is true
-      - powerdns_auth is not defined or powerdns_auth is false
+      - powerdns_server is not defined or powerdns_server is false
+
+  - name: nameserver | powerdns-server | install and configure
+    block:
+      - name: nameserver | powerdns-server | install
+        include_tasks: install_powerdns_server.yml
+      - name: nameserver | powerdns-server | configure
+        include_tasks: configure_powerdns_server_snmpd.yml
+    when:
+      - powerdns_server is defined
+      - powerdns_server is true
+      - bind is not defined or bind is false
 
   rescue:
     - set_fact: task_failed=true
diff --git a/roles/nameserver/templates/powerdns-server-pri-mysql-config.j2 b/roles/nameserver/templates/powerdns-server-pri-mysql-config.j2
new file mode 100644
index 0000000..8334331
--- /dev/null
+++ b/roles/nameserver/templates/powerdns-server-pri-mysql-config.j2
@@ -0,0 +1,3 @@
+gmysql-socket = {{ pdns_mysql_socket }}
+gmysql-password = {{ pdns_db_passwd }}
+gmysql-dnssec = Yes
diff --git a/roles/nameserver/vars/debian.yml b/roles/nameserver/vars/debian.yml
index 55480eb..9849fb3 100644
--- a/roles/nameserver/vars/debian.yml
+++ b/roles/nameserver/vars/debian.yml
@@ -1,13 +1,16 @@
 bind_package: bind9
 unbound_package: unbound
 perl_readbackwards: libfile-readbackwards-perl
-powerdns_server_package: pdns-server
-powerdns_recursor_package: pdns-recursor
-powerdns_tools_package: pdns-tools
 
+# PowerDNS specific
+powerdns_recursor_package: pdns-recursor
+powerdns_server_package: pdns-server
+powerdns_tools_package: pdns-tools
 powerdns_backends:
   - package: pdns-backend-bind
   - package: pdns-backend-mysql
+pdns_mysql_schema: "/usr/share/pdns-backend-mysql/schema/schema.mysql.sql"
+pdns_mysql_socket: "/run/mysqld/mysqld.sock"
 
 # named / bind specific
 named_conf_zones: /etc/bind/named.conf.default-zones
diff --git a/roles/nameserver/vars/main.yml b/roles/nameserver/vars/main.yml
new file mode 100644
index 0000000..5afe122
--- /dev/null
+++ b/roles/nameserver/vars/main.yml
@@ -0,0 +1,3 @@
+pdns_db_name: "powerdns"
+pdns_db_user: "powerdns"
+pdns_db_passwd: "alsdkafhdfgjrnyödfdfjksdzlyso57sfn7093c5n7aß46bs946r9xbr85xr6"
\ No newline at end of file