diff --git a/ansible/roles/designate/defaults/main.yml b/ansible/roles/designate/defaults/main.yml
index 3af79afdff..8e3f500489 100644
--- a/ansible/roles/designate/defaults/main.yml
+++ b/ansible/roles/designate/defaults/main.yml
@@ -140,3 +140,11 @@ openstack_designate_auth: "{{ openstack_auth }}"
 designate_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
 designate_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
 designate_dev_mode: "{{ kolla_dev_mode }}"
+
+####################
+## Designate
+#####################
+designate_dnssec_validation: "yes"
+designate_recursion: "no"
+## Example for designate_forwarders_addresses: "10.199.200.1; 10.199.100.1"
+designate_forwarders_addresses: ""
diff --git a/ansible/roles/designate/templates/named.conf.j2 b/ansible/roles/designate/templates/named.conf.j2
index 89bd3a952a..60b16f2691 100644
--- a/ansible/roles/designate/templates/named.conf.j2
+++ b/ansible/roles/designate/templates/named.conf.j2
@@ -3,10 +3,11 @@ options {
         listen-on port {{ designate_bind_port }} { {{ hostvars[inventory_hostname]['ansible_' + hostvars[inventory_hostname]['api_interface']]['ipv4']['address'] }}; };
         directory       "/var/lib/named";
         allow-new-zones yes;
-        dnssec-validation auto;
+        dnssec-validation {{ designate_dnssec_validation }};
         auth-nxdomain no;
         request-ixfr no;
-        recursion no;
+        recursion {{ designate_recursion }};
+        forwarders { {{ designate_forwarders_addresses }}; };
         minimal-responses yes;
         allow-notify { {% for host in groups['designate-worker'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }};{% endfor %} };
 };