diff --git a/roles/knot/tasks/config.yml b/roles/knot/tasks/config.yml
index b146213..afb3ec3 100644
--- a/roles/knot/tasks/config.yml
+++ b/roles/knot/tasks/config.yml
@@ -11,6 +11,23 @@
     - "{{ knot_zone_master_storage_path }}"
     - "{{ knot_zone_replica_storage_path }}"
 
+- name: make sure all zones have a name
+  assert:
+    that:
+      - "'name' in item.value"
+      - "item.value.name | type_debug == 'str'"
+    fail_msg: "{{ item.key }} does not have a name"
+  loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | list }}"
+
+- name: make sure all zones have at least one master defined
+  assert:
+    that:
+      - "'masters' in item.value"
+      - "item.value.masters | type_debug == 'list'"
+      - "item.value.masters | length > 0"
+    fail_msg: "{{ item.key }} does not have a zone master"
+  loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | list }}"
+
 - name: render knot zone files
   template:
     src: var/lib/knot/master/zone.j2
diff --git a/roles/knot/templates/etc/knot/knot.conf.j2 b/roles/knot/templates/etc/knot/knot.conf.j2
index 614be81..104f247 100644
--- a/roles/knot/templates/etc/knot/knot.conf.j2
+++ b/roles/knot/templates/etc/knot/knot.conf.j2
@@ -41,10 +41,9 @@ acl:
 #   MASTER ZONES
 #
 
+policy:
 {% for zone in zones %}
 {% if inventory_hostname in zone.masters %}
-
-policy:
   - id: dnssec-{{ zone.name }}
     algorithm: {{ knot_dnssec_policy_algorithm }}
     nsec3: {{ knot_dnssec_policy_nsec3 }}
@@ -52,9 +51,13 @@ policy:
     zsk-size: {{ knot_dnssec_policy_zsk_size }}
     ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
     cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
+{% endif %}
+{% endfor %}
 
 zone:
-  - domain: {{ zone.name }}.
+{% for zone in zones %}
+{% if inventory_hostname in zone.masters %}
+  - domain: {{ zone.name }}
     storage: {{ knot_zone_master_storage_path }}
     semantic-checks: {{ knot_zone_semantic_checks }}
     serial-policy: unixtime
@@ -67,7 +70,6 @@ zone:
 {% for replica in zone.replicas %}
     notify: remote-{{ replica }}
 {% endfor %}
-
 {% endif %}
 {% endfor %}
 
@@ -76,11 +78,10 @@ zone:
 #   REPLICA ZONES
 #
 
+zone:
 {% for zone in zones %}
 {% if inventory_hostname in zone.replicas %}
-
-zone:
-  - domain: {{ zone.name }}.
+  - domain: {{ zone.name }}
     storage: {{ knot_zone_replica_storage_path }}
     serial-policy: unixtime
 {% for master in zone.masters %}
@@ -89,7 +90,6 @@ zone:
 {% for master in zone.masters %}
     master: remote-{{ master }}
 {% endfor %}
-
 {% endif %}
 {% endfor %}