diff --git a/group_vars/all/dyn_dns.yml b/group_vars/all/dyn_dns.yml
index 6d6bce7bc079635539f76010c24612c9e27e6277..e0c60562293a130cffbdfeb31d4c0b699796ecfc 100644
--- a/group_vars/all/dyn_dns.yml
+++ b/group_vars/all/dyn_dns.yml
@@ -6,3 +6,9 @@ dyn_dns_zones:
     allowed_ipv6: "{{ groups['geo_mirrors'] | map('extract', hostvars, ['ipv6_address']) }}"
     valid_qtypes: [TXT]
   _acme-challenge.riscv.mirror.pkgbuild.com: *acme_challenge
+  sandbox.archlinux.page:
+    key: sandbox
+    allowed_ipv4: "{{ groups['gitlab_runners'] | map('extract', hostvars, ['ipv4_address']) }}"
+    allowed_ipv6: "{{ groups['gitlab_runners'] | map('extract', hostvars, ['ipv6_address']) }}"
+    valid_qtypes: [A, AAAA]
+    subdomains: only
diff --git a/group_vars/all/vault_dyn_dns_keys.yml b/group_vars/all/vault_dyn_dns_keys.yml
index 272d3993442dbdbebea51b0f8ff670e5eb8325ad..90e650c27ea074627a32929431921acfade5c3d4 100644
--- a/group_vars/all/vault_dyn_dns_keys.yml
+++ b/group_vars/all/vault_dyn_dns_keys.yml
@@ -1,13 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-61373835393530366133386434373162656332363939656235646235663333633532336435353266
-3364616435323230656233666633353535303436363433610a376133633938663634323932643764
-36656433366566623864636462383861636538363737343861316330306561373965626366363032
-6366373462303839660a653335623261306630623139643630323330633665393030333830653930
-37653166613264643537383734336163313537313334363635653062653832333638356361313461
-62353166393332326534356661653464333266383234396536383633323834333566633861643363
-66316162356566343964623237356264633564646634653834326363386235333361656332386265
-39333463343365393962663637666333376236366638306361316435306537643031346162346464
-33313466353666353136386463353831353365643333613066326136343234343636343833346465
-64343962303766303436613538616165623837383837303230623135623562303664333764323834
-62313864653234653138336134303638666234376631663361396662653863643433313864303330
-63663034353461346562
+62393237353533363738376335336564623464336332393733306465333339376130613338356537
+6166666538303939313238323238616433653036376662360a323663613934636539333365303166
+33343266613234363965363233666165383333343862326436313935636631326266363462613033
+3937393135656534370a663035633362643931653864336336396535373038396165633934366433
+31656663396538376337373762386162386665353639336235363233643139303763333861376339
+62306130363039376431396234333030616235306530343336326237656638636435363038663931
+39356535643265616337306530393962373537336335333764363565313939373565326561613066
+36633931656662393538353836353365386634663736356131323435333265653832656162306230
+64326535353532373137656535386531333536353531643863646135386664333030363564376463
+61386537306235356666353761383237336133376665393365663636386238373534623833306430
+37323336623537613034643763363439643063633433323431623932646465363230316533356337
+34623964653036383766316336373462363562333963663939333431643665643737643164396565
+38396332356630366665666239656562313430363432366639373235343430653236356438643131
+65623438313963356630333939636663393539656463376339326631636263313564636432343635
+39656466323965626264623332393630333035396638653039343536373337643165313564333363
+36626239303836383932336537313061663961636137396162303838356661386636303262653633
+33336665306634363866386237623733643663313136373037376631363364343161373731626637
+30346433666230663564643731616566663339393166343061333033386462366663383839653631
+363865646464333236663262323265376363
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 282af1bea3a21c03f289f61f8a293288690cad81..8b4a32e31864d92b63de7e3da7ce9ee10076c975 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -473,6 +473,14 @@ resource "hetznerdns_record" "archlinux_page_origin_ns1" {
   ttl     = 86400
 }
 
+resource "hetznerdns_record" "archlinux_page_sandbox_ns1" {
+  zone_id = hetznerdns_zone.archlinux_page.id
+  name    = "sandbox"
+  value   = "redirect.archlinux.org."
+  type    = "NS"
+  ttl     = 86400
+}
+
 # TODO: Commented currently as we have no idea how to handle SOA stuff with Terraform:
 # https://github.com/timohirt/terraform-provider-hetznerdns/issues/20
 # https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/62#note_4040