diff --git a/.kitchen.yml b/.kitchen.yml
index aaf4066..b93541c 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -25,3 +25,8 @@ platforms:
 
 suites:
   - name: bind
+  - name: bind-zones-subset
+    provisioner:
+      extra_vars:
+        bind_zones_subset:
+          - test.local
diff --git a/.travis.yml b/.travis.yml
index a85a5ca..5d05f9e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,9 +13,12 @@ before_install:
   - bundle install
 
 script:
-  - kitchen conv
-  - kitchen conv | grep changed=0
-  - kitchen verify
+  - kitchen conv bind
+  - kitchen conv bind | grep changed=0
+  - kitchen verify bind
+  - kitchen conv bind-zones-subset
+  - kitchen conv bind-zones-subset | grep changed=0
+  - kitchen verify bind-zones-subset
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/README.md b/README.md
index b893d92..1fc5736 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ This role can work on Debian derived OS, but it's not our priority.
 * `bind_role` - the role `master` or `slave`, don't generate dnssec key on `slave`
 * `bind_options` - hash general bind options
 * `bind_zones` - the dns zones
+* `bind_zones_subset` array to use in `extra-vars` with the list zones to update
 * `bind_listen_ipv4` - enable or disable ip v4 support (default: true)
 * `bind_listen_ipv6` - enable or disable ip v6 support (default: true)
 
diff --git a/tasks/zones.yml b/tasks/zones.yml
index 9fcb8da..d9471fd 100644
--- a/tasks/zones.yml
+++ b/tasks/zones.yml
@@ -1,3 +1,8 @@
+- set_fact:
+    bind_zones_play: '{{ bind_zones_play|default([]) + [ item ] }}'
+  with_dict: '{{ bind_zones }}'
+  when: (item.value.state is not defined or item.value.state != 'absent') and (bind_zones_subset is not defined or item.key in bind_zones_subset)
+
 - name: create zone folder
   file:
     path: '/etc/bind/zones/{{ item.key }}'
@@ -5,8 +10,7 @@
     group: bind
     mode: 0755
     state: directory
-  with_dict: '{{ bind_zones }}'
-  when: item.value.state is not defined or item.value.state != 'absent'
+  with_items: '{{ bind_zones_play }}'
 
 - name: copy zone files
   template:
@@ -15,9 +19,8 @@
     owner: root
     group: root
     mode: 0644
-  with_dict: '{{ bind_zones }}'
+  with_items: '{{ bind_zones_play }}'
   register: zone
-  when: item.value.state is not defined or item.value.state != 'absent'
   notify: reload bind
 
 - name: dnssec sign
diff --git a/test/integration/bind-zones-subset/default.yml b/test/integration/bind-zones-subset/default.yml
new file mode 120000
index 0000000..dca1e17
--- /dev/null
+++ b/test/integration/bind-zones-subset/default.yml
@@ -0,0 +1 @@
+../bind/default.yml
\ No newline at end of file
diff --git a/test/integration/bind-zones-subset/serverspec/bind_spec.rb b/test/integration/bind-zones-subset/serverspec/bind_spec.rb
new file mode 100644
index 0000000..93b2412
--- /dev/null
+++ b/test/integration/bind-zones-subset/serverspec/bind_spec.rb
@@ -0,0 +1,99 @@
+require 'serverspec'
+
+set :backend, :exec
+
+puts
+puts '================================'
+puts %x(ansible --version)
+puts '================================'
+
+%w[
+  bind9
+  cron
+].each do |package|
+  describe package(package) do
+    it { should be_installed }
+  end
+end
+
+describe file('/etc/bind/zones/test.local') do
+  it { should be_directory }
+  it { should be_mode 755 }
+  it { should be_owned_by 'bind' }
+  it { should be_grouped_into 'bind' }
+end
+
+describe file('/etc/bind/zones/test.local/db') do
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+end
+
+describe file('/etc/bind/zones/test.local/db.signed') do
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+end
+
+%w[
+  absent.local
+  hello.local
+  disabled.local
+].each do |zone|
+  describe file("/etc/bind/zones/#{zone}") do
+    it { should_not exist }
+  end
+end
+
+describe file('/etc/bind/named.conf.local') do
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should contain '4.2.2.4' }
+  it { should contain 'inline-signing yes;' }
+end
+
+describe file('/etc/bind/named.conf.options') do
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should contain 'listen-on { any; };' }
+  it { should contain 'listen-on-v6 { none; };' }
+  it { should contain 'server-id "1";' }
+end
+
+describe service('bind9') do
+  it { should be_enabled }
+  it { should be_running.under('systemd') }
+end
+
+describe port(53) do
+  it { should be_listening.with('tcp') }
+  it { should be_listening.with('udp') }
+end
+
+describe command('dig +nocmd +noall +answer +dnssec hello.test.local @127.0.0.1') do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain(/hello\.test\.local\.\s+300\s+IN\s+A\s+1\.2\.3\.4/) }
+  its(:stdout) { should contain(/hello\.test\.local\.\s+300\s+IN\s+RRSIG\s+A /) }
+end
+
+describe command('dig +nocmd +noall +answer -t mx test.local @127.0.0.1') do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain(/test\.local\.\s+3600\s+IN\s+MX\s+20 mail\.test\.local\./) }
+end
+
+describe command('dig +nocmd +noall +answer -t srv hello.test.local @127.0.0.1') do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain(/hello\.test\.local\.\s+3600\s+IN\s+SRV\s+0\s+5\s+80\s+www\.test\.local\.$/) }
+end
+
+describe command('dig +nocmd +noall +answer -t caa hello.test.local @127.0.0.1') do
+  its(:exit_status) { should eq 0 }
+  its(:stdout) { should contain(/hello\.test\.local\.\s+3600\s+IN\s+CAA\s+0 issue "letsencrypt\.org"/) }
+  its(:stdout) { should contain(/hello\.test\.local\.\s+3600\s+IN\s+CAA\s+0 iodef "mailto:root@test\.local"/) }
+end