diff --git a/roles/master/defaults/main.yml b/roles/master/defaults/main.yml
new file mode 100644
index 0000000..cfafdaf
--- /dev/null
+++ b/roles/master/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+
+knot_server_rundir: /run/knot
+knot_server_user: knot
+knot_server_group: knot
+knot_server_listen:
+  - "::@53"
+  - "0.0.0.0@53"
+
+knot_log_targets:
+  - target: syslog
+    level: info
+
+knot_zone_storage_path: /var/lib/knot/master
+knot_zone_semantic_checks: 'on'
+knot_zone_dnssec_signing: 'on'
+
+knot_dnssec_policy_algorithm: ecdsap384sha384
+knot_dnssec_policy_nsec3: 'on'
+knot_dnssec_policy_ksk_shared: 'on'
+knot_dnssec_policy_ksk_size: 384
+knot_dnssec_policy_zsk_size: 384
+knot_dnssec_policy_cds_publish: 'always'
diff --git a/roles/master/handlers/main.yml b/roles/master/handlers/main.yml
new file mode 100644
index 0000000..299e65e
--- /dev/null
+++ b/roles/master/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: reload knot
+  service:
+    name: knot
+    state: reloaded
diff --git a/roles/master/tasks/config.yml b/roles/master/tasks/config.yml
index cd21505..dceb639 100644
--- a/roles/master/tasks/config.yml
+++ b/roles/master/tasks/config.yml
@@ -1,2 +1,35 @@
 ---
 
+- name: render knot master config
+  template:
+    src: etc/knot/knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    group: knot
+    mode: 0640
+  notify: reload knot
+
+- name: render knot server config
+  template:
+    src: etc/knot/knot.d/00-server.conf.j2
+    dest: /etc/knot/knot.d/00-server.conf
+    owner: knot
+    group: knot
+    mode: 0640
+  notify: reload knot
+
+- name: render knot master configs
+  template:
+    src: etc/knot/knot.d/10-master.conf.j2
+    dest: "/etc/knot/knot.d/{{ 10+i }}-master-{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  vars:
+    name: "{{ item.name }}"
+    replicas: "{{ item.replicas }}"
+    zones: "{{ item.zones }}"
+  loop: "{{ knot_zone_groups }}"
+  loop_control:
+    index_var: i
+  notify: reload knot
diff --git a/roles/master/tasks/install.yml b/roles/master/tasks/install.yml
index aa13bdc..7d04e08 100644
--- a/roles/master/tasks/install.yml
+++ b/roles/master/tasks/install.yml
@@ -5,3 +5,8 @@
     name: knot
     state: present
 
+- name: start and enable knot
+  service:
+    name: knot
+    state: started
+    enabled: yes
diff --git a/roles/master/templates/etc/knot/knot.conf.j2 b/roles/master/templates/etc/knot/knot.conf.j2
new file mode 100644
index 0000000..b8e8983
--- /dev/null
+++ b/roles/master/templates/etc/knot/knot.conf.j2
@@ -0,0 +1,5 @@
+{{ ansible_managed | comment }}
+
+# See knot.conf(5) or refer to the server documentation.
+
+include: /etc/knot/knot.d/*conf
diff --git a/roles/master/templates/etc/knot/knot.d/00-server.conf.j2 b/roles/master/templates/etc/knot/knot.d/00-server.conf.j2
new file mode 100644
index 0000000..6638a90
--- /dev/null
+++ b/roles/master/templates/etc/knot/knot.d/00-server.conf.j2
@@ -0,0 +1,14 @@
+{{ ansible_managed | comment }}
+
+server:
+  rundir: "{{ knot_server_rundir }}"
+  user: "{{ knot_server_user }}:{{ knot_server_group }}"
+{% for addr in knot_server_listen %}
+  listen: "{{ addr }}"
+{% endfor %}
+
+log:
+{% for target in knot_log_targets %}
+  - target: "{{ target.target }}"
+    any: "{{ target.level }}"
+{% endfor %}
diff --git a/roles/master/templates/etc/knot/knot.d/10-master.conf.j2 b/roles/master/templates/etc/knot/knot.d/10-master.conf.j2
new file mode 100644
index 0000000..c2a3f1f
--- /dev/null
+++ b/roles/master/templates/etc/knot/knot.d/10-master.conf.j2
@@ -0,0 +1,46 @@
+{{ ansible_managed | comment }}
+
+#
+#  Master configuration for zones in group {{ name }}
+#
+
+acl:
+  - id: xfr-{{ name }}
+    action: transfer
+    address:
+{% for replica in replicas %}
+      - "{{ replica }}"
+{% endfor %}
+
+remote:
+{% for replica in replicas %}
+  - id: remote-{{ name }}-{{ loop.index0 }}
+    address: "{{ replica }}"
+{% endfor %}
+
+policy:
+  - id: dnssec-{{ name }}
+    algorithm: {{ knot_dnssec_policy_algorithm }}
+    nsec3: {{ knot_dnssec_policy_nsec3 }}
+    ksk-size: {{ knot_dnssec_policy_ksk_size }}
+    zsk-size: {{ knot_dnssec_policy_zsk_size }}
+    ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
+    cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
+
+template:
+  - id: {{ name }}
+    storage: {{ knot_zone_storage_path }}
+    semantic_checks: {{ knot_zone_semantic_checks }}
+    dnssec-signing: {{ knot_zone_dnssec_signing }}
+    dnssec-policy: dnssec-{{ name }}
+    acl: xfr-{{ name }}
+    notify:
+{% for replica in replicas %}
+      - remote-{{ name }}-{{ loop.index0 }}
+{% endfor %}
+    
+zone:
+{% for zone in zones %}
+  - domain: {{ zone }}.
+    template: {{ name }}
+{% endfor %}
diff --git a/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2
index 1c1925e..6fa181c 100644
--- a/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2
+++ b/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2
@@ -1,7 +1,7 @@
 {{ ansible_managed | comment }}
 
 #
-#  Replica for zones of of primary {{ primary }}
+#  Replica for zones of primary {{ primary }}
 #
 
 pattern: