diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 32485306fec133b19b9d68543b7578087f7f4dbf..776691f7cb7df12d36055ac0cbe30aef0bb5284e 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -223,8 +223,17 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr, struct kr_request
 	/* Authority MUST be at/below the authority of the nameserver, otherwise
 	 * possible cache injection attempt. */
 	if (!knot_dname_in(cut->name, rr->owner)) {
-		DEBUG_MSG("<= authority: ns outside bailiwick, failing\n");
+		DEBUG_MSG("<= authority: ns outside bailiwick\n");
+#ifdef STRICT_MODE
 		return KNOT_STATE_FAIL;
+#else
+		/* Workaround: ignore out-of-bailiwick NSs for authoritative answers,
+		 * but fail for referrals. This is important to detect lame answers. */
+		if (knot_pkt_section(pkt, KNOT_ANSWER)->count == 0) {
+			state = KNOT_STATE_FAIL;
+		}
+		return state;
+#endif
 	}
 
 	/* Update zone cut name */