diff --git a/src/knot/server/name-server.c b/src/knot/server/name-server.c
index 2e4ab3a8b7f316831c320269bd3f226310524289..443185ac016943e7a07df7f159da2e2c79a05f6f 100644
--- a/src/knot/server/name-server.c
+++ b/src/knot/server/name-server.c
@@ -3050,6 +3050,13 @@ int ns_process_response(ns_nameserver_t *nameserver, sockaddr_t *from,
return KNOT_EINVAL;
}
+ /* Match against ACL to verify. */
+ if (acl_match(zd->xfr_in.acl, from) == ACL_DENY) {
+ debug_ns("Unauthorized SOA response, will not start "
+ "XFR.\n");
+ return KNOT_EINVAL;
+ }
+
/* Cancel EXPIRE timer. */
evsched_t *sched = nameserver->server->sched;
event_t *expire_ev = zd->xfr_in.expire;
diff --git a/src/knot/server/zones.c b/src/knot/server/zones.c
index 6da0539efd68e68a65b29a20b7f601ceb0161ddc..7db3cececc686a8981c62a8871136e3130991ee7 100644
--- a/src/knot/server/zones.c
+++ b/src/knot/server/zones.c
@@ -763,6 +763,7 @@ static int zones_insert_zones(ns_nameserver_t *ns,
/* Update ACLs. */
debug_zones("Updating zone ACLs.\n");
+ zones_set_acl(&zd->xfr_in.acl, &z->acl.xfr_in);
zones_set_acl(&zd->xfr_out, &z->acl.xfr_out);
zones_set_acl(&zd->notify_in, &z->acl.notify_in);
zones_set_acl(&zd->notify_out, &z->acl.notify_out);
@@ -779,6 +780,10 @@ static int zones_insert_zones(ns_nameserver_t *ns,
cfg_if->family,
cfg_if->address,
cfg_if->port);
+
+ debug_zones("Using %s:%d as zone XFR master.\n",
+ cfg_if->address,
+ cfg_if->port);
}
/* Update events scheduled for zone. */
diff --git a/src/knot/server/zones.h b/src/knot/server/zones.h
index ceb902f42e537bb106fe7a966636004f418d553a..56500358761238536b47b06ac53834db2b25c2ef 100644
--- a/src/knot/server/zones.h
+++ b/src/knot/server/zones.h
@@ -41,6 +41,7 @@ typedef struct zonedata_t
/*! \brief XFR-IN scheduler. */
struct {
list **ifaces; /*!< List of availabel interfaces. */
+ acl_t *acl; /*!< ACL for xfr-in.*/
sockaddr_t master; /*!< Master server for xfr-in.*/
struct event_t *timer; /*!< Timer for REFRESH/RETRY. */
struct event_t *expire; /*!< Timer for REFRESH. */