diff --git a/README.md b/README.md
index c8dd406..e27f670 100644
--- a/README.md
+++ b/README.md
@@ -13,6 +13,10 @@ The resources/services/activations/deletions that this module will create/trigge
   and need a Terraform 0.12.x-compatible version of this module, the last released version intended for
   Terraform 0.11.x is [1.0.0](https://registry.terraform.io/modules/terraform-google-modules/cloud-dns/google/1.0.0).
 
+## Upgrading
+
+The current version is 3.X. In previous version, you had "record_names" and "record_data", now everything is merge in one unique variable named "recordsets", please see bellow the structure and documentation.
+
 ## Usage
 
 Basic usage of this module for a private zone is as follows:
@@ -30,11 +34,22 @@ module "dns-private-zone" {
     "https://www.googleapis.com/compute/v1/projects/my-project/global/networks/my-vpc"
   ]
 
-  record_names = ["localhost"]
-  record_data = [
+  recordsets = [
+    {
+      name    = ""
+      type    = "NS"
+      ttl     = 300
+      records = [
+        "127.0.0.1",
+      ]
+    },
     {
-      rrdatas = "127.0.0.1"
+      name    = "localhost"
       type    = "A"
+      ttl     = 300
+      records = [
+        "127.0.0.1",
+      ]
     },
   ]
 }
@@ -48,12 +63,15 @@ Functional examples are included in the [examples](./examples/) directory.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| default\_key\_specs\_key | Object containing default key signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details | any | `<map>` | no |
+| default\_key\_specs\_zone | Object containing default zone signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details | any | `<map>` | no |
+| description | domain description ( shown in console ) | string | `"domain managed by Terraform"` | no |
+| dnssec\_config | Object containing : kind, non_existence, state. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details | any | `<map>` | no |
 | domain | Zone domain, must end with a period. | string | n/a | yes |
 | name | Zone name, must be unique within the project. | string | n/a | yes |
 | private\_visibility\_config\_networks | List of VPC self links that can see this zone. | list(string) | `<list>` | no |
 | project\_id | Project id for the zone. | string | n/a | yes |
-| record\_data | List of maps with type, rrdatas and optional ttl for static zone records. | list | `<list>` | no |
-| record\_names | List of record names for static zones. | list | `<list>` | no |
+| recordsets | List of DNS record objects to manage, in the standard terraform dns structure. | object | `<list>` | no |
 | target\_name\_server\_addresses | List of target name servers for forwarding zone. | list(string) | `<list>` | no |
 | target\_network | Peering network. | string | `""` | no |
 | type | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering'. | string | `"private"` | no |
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index 68b77ae..acdecf8 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -1,4 +1,3 @@
-  
 # Copyright 2019 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/examples/private-zone/main.tf b/examples/private-zone/main.tf
index d2e28a1..96f02b9 100644
--- a/examples/private-zone/main.tf
+++ b/examples/private-zone/main.tf
@@ -23,11 +23,46 @@ module "dns-private-zone" {
 
   private_visibility_config_networks = var.network_self_links
 
-  record_names = ["localhost"]
-  record_data = [
+  recordsets = [
     {
-      rrdatas = "127.0.0.1"
-      type    = "A"
+      name = "ns"
+      type = "A"
+      ttl  = 300
+      records = [
+        "127.0.0.1",
+      ]
+    },
+    {
+      name = ""
+      type = "NS"
+      ttl  = 300
+      records = [
+        "ns.${var.domain}",
+      ]
+    },
+    {
+      name = "localhost"
+      type = "A"
+      ttl  = 300
+      records = [
+        "127.0.0.1",
+      ]
+    },
+    {
+      name = ""
+      type = "MX"
+      ttl  = 300
+      records = [
+        "1 localhost.",
+      ]
+    },
+    {
+      name = ""
+      type = "TXT"
+      ttl  = 300
+      records = [
+        "\"v=spf1 -all\"",
+      ]
     },
   ]
 }
diff --git a/examples/public-zone/main.tf b/examples/public-zone/main.tf
index 815a7af..155f606 100644
--- a/examples/public-zone/main.tf
+++ b/examples/public-zone/main.tf
@@ -15,17 +15,52 @@
  */
 
 module "dns-public-zone" {
-  source       = "../.."
-  project_id   = var.project_id
-  type         = "public"
-  name         = var.name
-  domain       = var.domain
-  record_names = ["localhost"]
+  source     = "../.."
+  project_id = var.project_id
+  type       = "public"
+  name       = var.name
+  domain     = var.domain
 
-  record_data = [
+  recordsets = [
     {
-      rrdatas = "127.0.0.1"
-      type    = "A"
+      name = "ns"
+      type = "A"
+      ttl  = 300
+      records = [
+        "127.0.0.1",
+      ]
+    },
+    {
+      name = ""
+      type = "NS"
+      ttl  = 300
+      records = [
+        "ns.${var.domain}",
+      ]
+    },
+    {
+      name = "localhost"
+      type = "A"
+      ttl  = 300
+      records = [
+        "127.0.0.1",
+      ]
+    },
+    {
+      name = ""
+      type = "MX"
+      ttl  = 300
+      records = [
+        "1 localhost.",
+      ]
+    },
+    {
+      name = ""
+      type = "TXT"
+      ttl  = 300
+      records = [
+        "\"v=spf1 -all\"",
+      ]
     },
   ]
 }
diff --git a/examples/public-zone/variables.tf b/examples/public-zone/variables.tf
index 7211286..d2cd990 100644
--- a/examples/public-zone/variables.tf
+++ b/examples/public-zone/variables.tf
@@ -21,10 +21,10 @@ variable "project_id" {
 
 variable "name" {
   description = "DNS zone name."
-  default     = "foo-example-org"
+  default     = "foo-example-invalid-org"
 }
 
 variable "domain" {
   description = "Zone domain."
-  default     = "foo.example.org."
+  default     = "foo.example-invalid.org."
 }
diff --git a/main.tf b/main.tf
index 92459d1..23fe5ff 100644
--- a/main.tf
+++ b/main.tf
@@ -94,19 +94,48 @@ resource "google_dns_managed_zone" "public" {
   project     = var.project_id
   name        = var.name
   dns_name    = var.domain
-  description = "Terraform-managed zone."
+  description = var.description
   visibility  = "public"
+
+  dynamic "dnssec_config" {
+    for_each = var.dnssec_config == {} ? [] : list(var.dnssec_config)
+    iterator = config
+    content {
+      kind          = lookup(config, "kind", "dns#managedZoneDnsSecConfig")
+      non_existence = lookup(config, "non_existence", "nsec3")
+      state         = lookup(config, "state", "off")
+
+      default_key_specs {
+        algorithm  = lookup(var.default_key_specs_key, "algorithm", "rsasha256")
+        key_length = lookup(var.default_key_specs_key, "key_length", 2048)
+        key_type   = lookup(var.default_key_specs_key, "key_type", "keySigning")
+        kind       = lookup(var.default_key_specs_key, "kind", "dns#dnsKeySpec")
+      }
+      default_key_specs {
+        algorithm  = lookup(var.default_key_specs_zone, "algorithm", "rsasha256")
+        key_length = lookup(var.default_key_specs_zone, "key_length", 1024)
+        key_type   = lookup(var.default_key_specs_zone, "key_type", "zoneSigning")
+        kind       = lookup(var.default_key_specs_zone, "kind", "dns#dnsKeySpec")
+      }
+    }
+  }
+
 }
 
 resource "google_dns_record_set" "cloud-static-records" {
-  count        = local.is_static_zone ? length(var.record_names) : 0
   project      = var.project_id
   managed_zone = var.name
-  name         = "${element(var.record_names, count.index)}.${var.domain}"
-  type         = var.record_data[count.index]["type"]
-  ttl          = lookup(var.record_data[count.index], "ttl", 300)
 
-  rrdatas = split(",", var.record_data[count.index]["rrdatas"])
+  for_each = { for record in var.recordsets : join("/", [record.name, record.type]) => record }
+  name = (
+    each.value.name != "" ?
+    "${each.value.name}.${var.domain}" :
+    var.domain
+  )
+  type = each.value.type
+  ttl  = each.value.ttl
+
+  rrdatas = each.value.records
 
   depends_on = [
     google_dns_managed_zone.private,
diff --git a/test/fixtures/public_zone/variables.tf b/test/fixtures/public_zone/variables.tf
index b78e088..f8e2923 100644
--- a/test/fixtures/public_zone/variables.tf
+++ b/test/fixtures/public_zone/variables.tf
@@ -21,5 +21,5 @@ variable "project_id" {
 
 variable "name" {
   description = "DNS zone name."
-  default     = "foo-example-org"
+  default     = "foo-example-invalid-org"
 }
diff --git a/test/integration/private_zone/controls/gcp.rb b/test/integration/private_zone/controls/gcp.rb
index 7f1444b..7fd563a 100644
--- a/test/integration/private_zone/controls/gcp.rb
+++ b/test/integration/private_zone/controls/gcp.rb
@@ -21,7 +21,7 @@
   end
 
   describe google_dns_resource_record_sets(project: attribute('project_id'), managed_zone: attribute('name')) do
-    its('count') { should eq 3 }
+    its('count') { should eq 6 }
     its('types') { should include 'A' }
     its('targets.flatten') { should include '127.0.0.1' }
   end
diff --git a/test/integration/public_zone/controls/gcp.rb b/test/integration/public_zone/controls/gcp.rb
index c494221..41ebe85 100644
--- a/test/integration/public_zone/controls/gcp.rb
+++ b/test/integration/public_zone/controls/gcp.rb
@@ -20,7 +20,7 @@
   end
 
   describe google_dns_resource_record_sets(project: attribute('project_id'), managed_zone: attribute('name')) do
-    its('count') { should eq 3 }
+    its('count') { should eq 6 }
     its('types') { should include 'A' }
     its('targets.flatten') { should include '127.0.0.1' }
   end
diff --git a/variables.tf b/variables.tf
index 3792b49..a7c7abb 100644
--- a/variables.tf
+++ b/variables.tf
@@ -50,22 +50,48 @@ variable "target_network" {
   default     = ""
 }
 
+variable "description" {
+  description = "domain description ( shown in console )"
+  default     = "domain managed by Terraform"
+  type        = string
+}
+
 variable "type" {
   description = "Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering'."
   default     = "private"
   type        = string
 }
 
+variable "dnssec_config" {
+  description = "Object containing : kind, non_existence, state. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details"
+  type        = any
+  default     = {}
+}
+
+variable "default_key_specs_key" {
+  description = "Object containing default key signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details"
+  type        = any
+  default     = {}
+}
+
+variable "default_key_specs_zone" {
+  description = "Object containing default zone signing specifications : algorithm, key_length, key_type, kind. Please see https://www.terraform.io/docs/providers/google/r/dns_managed_zone.html#dnssec_config for futhers details"
+  type        = any
+  default     = {}
+}
+
+
 ###############################################################################
 #                               record variables                              #
 ###############################################################################
 
-variable "record_names" {
-  description = "List of record names for static zones."
-  default     = []
-}
-
-variable "record_data" {
-  description = "List of maps with type, rrdatas and optional ttl for static zone records."
+variable "recordsets" {
+  type = list(object({
+    name    = string
+    type    = string
+    ttl     = number
+    records = list(string)
+  }))
+  description = "List of DNS record objects to manage, in the standard terraform dns structure."
   default     = []
 }