diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index b5c3fbcb..33fd668c 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -11,27 +11,17 @@
 {%- set is_master = ansible_all_ipv4_addresses | intersect(masters_ipv4) %}
 
 {% if is_master -%}
-// Let's Encrypt Challenge DNS-01
+// Let's Encrypt Challenge DNS-01 key
 key "certbot_challenge." {
 	algorithm hmac-sha512;
 	secret "{{ certbot_dns_secret }}";
 };
 {% endif %}
 
-// Crans zones
-{% for zone in bind.zones %}
-zone "{{ zone }}" {
-	{% if is_master -%}
+// Let's Encrypt Challenge DNS-01 zone
+zone "_acme-challenge.crans.org" {
 	type master;
-	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
-	forwarders {
-		{% for ip in slaves_ipv4 -%}
-		{{ ip }};
-		{% endfor -%}
-		{% for ip in slaves_ipv6 -%}
-		{{ ip }};
-	{% endfor -%}
-	};
+	file "bak._acme-challenge.db";
 	allow-transfer {
 		{% for ip in slaves_ipv4 -%}
 		{{ ip }};
@@ -43,6 +33,22 @@ zone "{{ zone }}" {
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
 	};
+};
+
+// Crans zones
+{% for zone in bind.zones %}
+zone "{{ zone }}" {
+	{% if is_master -%}
+	type master;
+	file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
+	allow-transfer {
+		{% for ip in slaves_ipv4 -%}
+		{{ ip }};
+		{% endfor -%}
+		{% for ip in slaves_ipv6 -%}
+		{{ ip }};
+	{% endfor -%}
+	};
 	notify yes;
 	{% else -%}
 	type slave;