diff --git a/src/libknot/updates/xfr-in.c b/src/libknot/updates/xfr-in.c
index 78d12a9396b2d791bf9b1ccef48c783ec751a406..75e80aea2f9c5e330b65e0e7da5e30d3e6c1bd37 100644
--- a/src/libknot/updates/xfr-in.c
+++ b/src/libknot/updates/xfr-in.c
@@ -480,6 +480,16 @@ int xfrin_process_axfr_packet(knot_ns_xfr_t *xfr)
 		return KNOT_EMALF;
 	}
 
+	if (!knot_dname_is_subdomain(xfr->zone->name, rr->owner)) {
+		char *owner = knot_dname_to_str(rr->owner);
+		log_zone_warning("Ignoring out-of-zone record owned by %s.\n",
+		                 owner);
+		free(owner);
+		knot_packet_free(&packet);
+		knot_rrset_deep_free(&rr, 1, 1);
+		return KNOT_EOK;
+	}
+
 	if (rr == NULL) {
 		dbg_xfrin("No RRs in the packet.\n");
 		knot_packet_free(&packet);