diff --git a/library/roles/unbound-resolver/defaults/main.yml b/library/roles/unbound-resolver/defaults/main.yml
index 20bb1a9..2ebb4d6 100644
--- a/library/roles/unbound-resolver/defaults/main.yml
+++ b/library/roles/unbound-resolver/defaults/main.yml
@@ -29,3 +29,9 @@ unbound_so_reuseport: 'yes'
 # with libevent
 unbound_outgoing_range: 8192
 unbound_num_queries_per_thread: 4096
+
+# Stub zones
+# One of stub_host or stub_addr must be defined
+# stub_prime and stub_first are both optional, default 'yes'
+#unbound_stub_zones:
+#  - { name: '', stub_addr: '', stub_host: '', stub_prime: '', stub_first: '' }
diff --git a/library/roles/unbound-resolver/templates/unbound-server.conf b/library/roles/unbound-resolver/templates/unbound-server.conf
index e955d89..7216d8e 100644
--- a/library/roles/unbound-resolver/templates/unbound-server.conf
+++ b/library/roles/unbound-resolver/templates/unbound-server.conf
@@ -42,3 +42,19 @@ server:
         do-daemonize: no
 {% endif %}
 
+{% if unbound_stub_zones is defined %}
+{% for zone in unbound_stub_zones %}
+stub-zone:
+        name: {{ zone.name }}
+{% if zone.stub_host is defined %}
+        stub-host: {{ zone.stub_host }}
+{% endif %}
+{% if zone.stub_addr is defined %}
+        stub-addr: {{ zone.stub_addr }}
+{% endif %}
+        stub-prime: {{ zone.stub_prime | default('yes') }}
+        stub-first: {{ zone.stub_first | default('yes') }}
+
+{% endfor %}
+{% endif %}
+