diff --git a/roles/knotd/defaults/main.yml b/roles/knotd/defaults/main.yml
index 37a901d..a0d36a7 100644
--- a/roles/knotd/defaults/main.yml
+++ b/roles/knotd/defaults/main.yml
@@ -15,6 +15,7 @@ knotd__cds_cdnskey_publish: rollover
 knotd__acl: []
 knotd__acl_update_owner: name
 knotd__acl_update_owner_match: equal
+knotd__queryacl: []
 knotd__zones_dir: "{{ knotd__database_dir }}/zones"
 knotd__semantic_checks: true
 knotd__serial_policy: increment
diff --git a/roles/knotd/templates/knot.conf.j2 b/roles/knotd/templates/knot.conf.j2
index 732b6c8..0a4cebe 100644
--- a/roles/knotd/templates/knot.conf.j2
+++ b/roles/knotd/templates/knot.conf.j2
@@ -1,3 +1,5 @@
+{{ ansible_managed | comment }}
+
 server:
   rundir: "{{ knotd__run_dir }}"
   user: {{ knotd__user }}:{{ knotd__group }}
@@ -26,7 +28,7 @@ remote:
 {% for id, remote in knotd__remotes.items() %}
   - id: {{ id }}
     address: {{ remote.address }}
-{% if "key" in remote %}
+{% if remote.key is defined %}
     key: {{ remote.key }}
 {% endif %}
 {% endfor %}
@@ -55,12 +57,12 @@ policy:
     nsec3: {{ policy.nsec3
               | default(knotd__nsec3)
               | ternary("on", "off") }}
-{% if "ds_push" in policy %}
+{% if policy.ds_push is defined %}
     ds-push: {{ policy.ds_push }}
 {% endif %}
     cds-cdnskey-publish: {{ policy.cds_cdnskey_publish
                             | default(knotd__cds_cdnskey_publish) }}
-{% if "ksk_submission" in policy %}
+{% if policy.ksk_submission is defined %}
     ksk-submission: {{ policy.ksk_submission }}
 {% endif %}
 {% endfor %}
@@ -70,7 +72,7 @@ policy:
 acl:
 {% for id, acl in knotd__acl.items() %}
   - id: {{ id }}
-{% if "addresses" in acl %}
+{% if acl.addresses is defined %}
     address: [ {{ acl.addresses | join(", ") }} ]
 {% endif %}
     action: {{ acl.action }}
@@ -82,12 +84,20 @@ acl:
                            | default(knotd__acl_update_owner_match) }}
     update-owner-name: [ {{ acl.update_owner_name | join(", ") }} ]
 {% endif %}
-{% if "key" in acl %}
+{% if acl.key is defined %}
     key: {{ acl.key }}
 {% endif %}
 {% endfor %}
 {% endif %}
 
+{% if knotd__queryacl.items() %}
+mod-queryacl:
+{% for id, acl in knotd__queryacl.items() %}
+  - id: {{ id }}
+    address: [ {{ acl.addresses | join(", ") }} ]
+{% endfor %}
+{% endif %}
+
 template:
   - id: default
     storage: "{{ knotd__zones_dir }}"
@@ -105,16 +115,19 @@ zone:
 {% for domain, zone in knotd__zones.items() %}
 {% if zone.enabled | default(true) %}
   - domain: {{ domain }}
-{% if "notify" in zone %}
+{% if zone.notify is defined %}
     notify: [ {{ zone.notify | join(", ") }} ]
 {% endif %}
-{% if "acl" in zone %}
+{% if zone.acl is defined %}
     acl: [ {{ zone.acl | join(", ") }} ]
 {% endif %}
-{% if "master" in zone %}
+{% if zone.queryacl is defined %}
+    module: mod-queryacl/{{ zone.queryacl }}
+{% endif %}
+{% if zone.master is defined %}
     master: {{ zone.master }}
 {% endif %}
-{% if "dnssec_policy" in zone %}
+{% if zone.dnssec_policy is defined %}
     dnssec-policy: {{ zone.dnssec_policy }}
     dnssec-signing: on
 {% else %}