diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index 4b689c76..12b3dce4 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -20,8 +20,8 @@ key "certbot_challenge." {
 
 // Let's Encrypt Challenge DNS-01 zone
 zone "_acme-challenge.crans.org" {
+	{% if is_master -%}
 	type master;
-	file "bak._acme-challenge.crans.org";
 	allow-transfer {
 		{% for ip in slaves_ipv4 -%}
 		{{ ip }};
@@ -30,6 +30,21 @@ zone "_acme-challenge.crans.org" {
 		{{ ip }};
 	{% endfor -%}
 	};
+	notify yes;
+	{% else -%}
+	type slave;
+	masters {
+		{% for ip in masters_ipv4 -%}
+		{{ ip }};
+		{% endfor -%}
+		{% for ip in masters_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
+	};
+	allow-transfer { "none"; };
+	notify no;
+	{% endif -%}
+	file "bak.{{ zone }}";
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.crans.org txt;
 	};