diff --git a/src/README.md b/src/README.md
index 942d42b..0231cec 100644
--- a/src/README.md
+++ b/src/README.md
@@ -10,6 +10,29 @@ designate-bind relies on designate charm.
     juju deploy designate
     juju add-relation designate designate-bind
 
+## Recursion and forwarders
+
+By default, this charm only resolves names in zones managed by
+Designate. You can optionally enable recursion or forwarders to resolve
+names outside of Designate, such as google.com or archive.ubuntu.com.
+
+Recursion and forwarders should be enabled with extra care. You should
+also enable ACLs with allowed_nets and/or allowed_recursion_nets.
+Otherwise, the DNS server may be open for anyone which could be used for
+some attacks as an open resolver.
+
+For example, when you want to allow DNS clients in local networks only,
+and use 8.8.8.8 and 8.8.4.4 as upstream DNS servers, You can set charm
+options like:
+
+    juju config designate-bind allowed_nets='10.0.0.0/8;172.16.0.0/12;192.168.0.0/16'
+    juju config designate-bind forwarders='8.8.8.8;8.8.4.4'
+
+Or if you want to use BIND9 set up by the charm as a full-service resolver, set the following options for example:
+
+    juju config designate-bind allowed_nets='10.0.0.0/8;172.16.0.0/12;192.168.0.0/16'
+    juju config designate-bind recursion=true
+
 # Network Space support
 
 This charm supports the use of Juju Network Spaces, allowing the charm
diff --git a/src/config.yaml b/src/config.yaml
index 80e1017..e1210e8 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -3,10 +3,38 @@ options:
     default: ""
     type: string
     description: |
-      String containing a list of allowed networks, separated by semicolons: e.g., "10.172.0.0/16;10.10.0.0/18"
+      String containing a list of allowed networks of hosts for DNS
+      queries, separated by semicolons: e.g.,
+      "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The option is
+      equivalent to "allow-query" in BIND9. If not specified, the
+      default is to allow queries from all hosts.
+  allowed_recursion_nets:
+    default: ""
+    type: string
+    description: |
+      String containing a list of allowed networks of hosts for
+      recursive queries through the designate-bind servers, spearated by
+      semicolons: e.g., "10.0.0.0/8;172.16.0.0/12;192.168.0.0/16". The
+      option is equivalent to "allow-recursion" in BIND9. If
+      allowed_recursion_nets is not set then allowed_nets is used if
+      set, otherwise any will be set to allow recursive queries from all
+      hosts.
   forwarders:
     default: ""
     type: string
     description: |
-      String containing a list of forwarders, separated by semicolons: e.g., "8.8.8.8;10.1.1.1"
-
+      String containing a list of forwarders, separated by semicolons:
+      e.g., "8.8.8.8;8.8.4.4". As non-empty forwarders option implies
+      recursion, recursive queries will be enabled regardless of the
+      value set in the recursion option. When using this option, ACLs
+      should be used with allowed_nets and/or allowed_recursion_nets to
+      prevent it from being a open resolver.
+  recursion:
+    default: false
+    type: boolean
+    description: |
+      Whether or not to enable recursive queries with BIND9 itself to be
+      installed by the charm. The option is equivalent to "recursion" in
+      BIND9. When using this option, ACLs should be used with
+      allowed_nets and/or allowed_recursion_nets to prevent it from
+      being a open resolver.
diff --git a/src/templates/named.conf.options b/src/templates/named.conf.options
index bba7d17..dd90811 100644
--- a/src/templates/named.conf.options
+++ b/src/templates/named.conf.options
@@ -2,8 +2,14 @@
 acl allow_query {
         {{ options.allowed_nets }};
 };
+{%- endif %}
+
+{% if options.allowed_recursion_nets -%}
+acl allow_recursion {
+        {{ options.allowed_recursion_nets }};
+};
+{%- endif %}
 
-{% endif -%}
 options {
         directory "/var/cache/bind";
 
@@ -20,7 +26,9 @@ options {
         forwarders {
             {{ options.forwarders }};
         };
-        {% endif -%}
+        forward only;
+        {%- endif %}
+
         //========================================================================
         // If BIND logs error messages about the root key being expired,
         // you will need to update your keys.  See https://www.isc.org/bind-keys
@@ -31,11 +39,25 @@ options {
         listen-on-v6 { any; };
         allow-new-zones yes;
         request-ixfr no;
+        {% if options.forwarders or options.recursion -%}
+        recursion yes;
+
+        {% if options.allowed_recursion_nets -%}
+        allow-recursion { allow_recursion; };
+        {% elif options.allowed_nets -%}
+        allow-recursion { allow_query; };
+        {% else -%}
+        allow-recursion { any; };
+        {% endif -%}
+
+        {% else -%}
         recursion no;
+        {% endif -%}
+
         statistics-file "/var/cache/bind/named.stats";
         zone-statistics yes;
         allow-notify { {{ dns_backend.control_ips }}; };
         {% if options.allowed_nets -%}
         allow-query { allow_query; };
-        {% endif -%}
+        {%- endif %}
 };