diff --git a/roles/dns_intern/templates/dnsdist.conf.j2 b/roles/dns_intern/templates/dnsdist.conf.j2
index a852e28..ae43a97 100644
--- a/roles/dns_intern/templates/dnsdist.conf.j2
+++ b/roles/dns_intern/templates/dnsdist.conf.j2
@@ -10,11 +10,11 @@ newServer({address='127.0.0.1:5353', pool='resolve'})
 
 {% if dns_secondary is defined %}
 -- allow AXFR/IXFR only from slaves
-addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), NotRule(makeRule("{{ dns_secondary }}"))}), RCodeAction(DNSRCode.REFUSED))
 {% endif %}
 
 -- allow NOTIFY only from master
-addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(dnsdist.REFUSED))
+addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("{{ dns_primary }}"))}), RCodeAction(DNSRCode.REFUSED))
 
 -- use auth servers for own zones
 addAction('binary.kitchen', PoolAction('authdns'))