diff --git a/roles/dns_intern/templates/dnsdist.conf.j2 b/roles/dns_intern/templates/dnsdist.conf.j2
index ae43a97..b14027b 100644
--- a/roles/dns_intern/templates/dnsdist.conf.j2
+++ b/roles/dns_intern/templates/dnsdist.conf.j2
@@ -9,17 +9,27 @@ newServer({address='127.0.0.1:5300', pool='authdns'})
 newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
--- allow AXFR/IXFR only from slaves
+-- allow AXFR/IXFR only from secondary
 addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
--- allow NOTIFY only from master
+-- allow NOTIFY only from primary
 addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))
 addAction('23.172.in-addr.arpa', PoolAction('authdns'))
 
+-- function to set RA flag
+function setRA(dq)
+  dq.dh:setRA(true)
+  return DNSResponseAction.None
+end
+
+-- set RA flag for queries to own zones
+addResponseAction('binary.kitchen', LuaResponseAction(setRA))
+addResponseAction('23.172.in-addr.arpa', LuaResponseAction(setRA))
+
 -- use resolver for anything else
 addAction(AllRule(), PoolAction('resolve'))