diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index d63642f..e4e0ae0 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -1,6 +1,30 @@
 ---
 - name: Converge
   hosts: all
+  vars:
+    bind9_group_config:
+      - name: named.conf.options
+        options:
+          directory: "{{ bind9_working_directory }}"
+          forwarders:
+            port: 853
+            tls: common-upstream
+            addresses:
+              - address: 192.0.2.10
+                port: 5353
+                tls: leaf-a
+              - address:
+                  - 2001:db8::10
+                  - 198.51.100.10
+                tls: dual-stack
+              - 203.0.113.10
+        tls:
+          - name: common-upstream
+            remote_hostname: upstream.example
+          - name: leaf-a
+            remote_hostname: leaf-a.example
+          - name: dual-stack
+            remote_hostname: dual-stack.example
   tasks:
     - name: Include bind9 role
       ansible.builtin.include_role:
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index c5ae4d5..d9e7bf5 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -2,13 +2,6 @@
 driver:
   name: podman
 platforms:
-  - name: debian-bookworm
-    image: docker.io/jrei/systemd-debian:12
-    command: /lib/systemd/systemd
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-    cgroupns_mode: host
   - name: debian-trixie
     image: docker.io/jrei/systemd-debian:13
     command: /lib/systemd/systemd
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
new file mode 100644
index 0000000..c70b01b
--- /dev/null
+++ b/molecule/default/verify.yml
@@ -0,0 +1,21 @@
+---
+- name: Verify forwarders configuration
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Read named.conf.options
+      ansible.builtin.slurp:
+        src: /etc/bind/named.conf.options
+      register: forwarders_file
+
+    - name: Assert forwarders render with port and tls
+      ansible.builtin.assert:
+        that:
+          - forwarders_content is search('forwarders port 853 tls common-upstream \{')
+          - forwarders_content is search('192.0.2.10 port 5353 tls leaf-a;')
+          - forwarders_content is search('2001:db8::10 tls dual-stack;')
+          - forwarders_content is search('198.51.100.10 tls dual-stack;')
+          - forwarders_content is search('203.0.113.10;')
+        fail_msg: "Forwarders block missing expected port/tls entries"
+      vars:
+        forwarders_content: "{{ forwarders_file.content | b64decode }}"
diff --git a/templates/named.conf.functions.j2 b/templates/named.conf.functions.j2
index 0ba8399..b3c2eb2 100644
--- a/templates/named.conf.functions.j2
+++ b/templates/named.conf.functions.j2
@@ -42,6 +42,46 @@
 {% endif %}
 {% endmacro %}
 
+{% macro list_address_port_tls(dict, indent=bind9_config_indent) %}
+{# This macro is for use for statements with grammar like #}
+{#  address port 00 tls string; address port 00 tls string; #}
+{# it is usually called by a parent macro #}
+{% filter indent(indent, true) %}
+{% for item in dict %}
+{% if item is not mapping %}
+{{ item }};
+{% elif item.address is string %}
+{{ item.address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% elif item.address is sequence %}
+{% for address in item.address %}
+{{ address -}}
+{{- (' port ' + item.port | string) if item.port is defined and item.port -}}
+{{- (' tls ' + item.tls | string) if item.tls is defined and item.tls -}};
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfilter %}
+{% endmacro %}
+
+{% macro parent_address_port_tls(name, dict) %}
+{# This macro is for statements with grammar like #}
+{# statement port 00 tls string { address port 00 tls string; address port 00 tls string; } #}
+{# the list inside the statement is handled by list_address_port_tls #}
+{% if dict is not mapping and dict is iterable %}
+{{ name }} {
+{{ list_address_port_tls(dict) -}}
+};
+{% else %}
+{{ name }}
+{{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
+{{- (' tls ' + dict.tls | string) if dict.tls is defined and dict.tls }} {
+{{ list_address_port_tls(dict.addresses) -}}
+};
+{% endif %}
+{% endmacro %}
+
 {% macro list_address_port_dscp(dict, indent=bind9_config_indent) %}
 {# This macro is for use for statements with grammar like #}
 {#  address port 00 dscp 00; address port 00 dscp 00; #}
@@ -65,12 +105,14 @@
 {# the list inside the statement is handled by list_address_port #}
 {% if dict is not mapping and dict is iterable %}
 {{ name }} {
-{{ list_address_port_dscp(dict) }}};
+{{ list_address_port_dscp(dict) }}
+};
 {% else %}
 {{ name }}
 {{- (' port ' + dict.port | string) if dict.port is defined and dict.port -}}
 {{- (' dscp ' + dict.dscp | string) if dict.dscp is defined and dict.dscp }} {
-{{ list_address_port_dscp(dict.addresses) }}};
+{{ list_address_port_dscp(dict.addresses) }}
+};
 {% endif %}
 {% endmacro %}
 
diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2
index afdbaf7..43066fc 100644
--- a/templates/named.conf.options.j2
+++ b/templates/named.conf.options.j2
@@ -101,7 +101,7 @@ listen-on
 {{ functions.simple_item_list(item.options.listen_on.addresses) }}};
 {% endfor %}
 {% endif %}
-{{ functions.parent_address_port_dscp("forwarders", item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', item.options.forwarders) if item.options.forwarders is defined and item.options.forwarders -}}
 {% if item.options.dual_stack_servers is defined and item.options.dual_stack_servers %}
 dual-stack-servers
 {{ (' port ' + item.options.dual_stack_servers.port | string) if item.options.dual_stack_servers.port is defined and item.options.dual_stack_servers }} {
diff --git a/templates/named.conf.zone.j2 b/templates/named.conf.zone.j2
index 0423220..bdf12ce 100644
--- a/templates/named.conf.zone.j2
+++ b/templates/named.conf.zone.j2
@@ -47,7 +47,7 @@ server-names {
 server-addresses {
 {{ functions.simple_item_list(zone.server_addresses) }}};
 {% endif %}
-{{ functions.parent_address_port_dscp('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
+{{ functions.parent_address_port_tls('forwarders', zone.forwarders) if zone.forwarders is defined and zone.forwarders -}}
 {% if zone.allow_transfer is defined and zone.allow_transfer is not string %}
 allow-transfer
 {{- (' port ' + zone.allow_transfer.port | string) if zone.allow_transfer.port is defined and zone.allow_transfer.port -}}