diff --git a/CHANGES b/CHANGES
index 8aa92b17de..ebf6a07236 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4032.	[bug]		Built-in "empty" zones did not correctly inherit the
+			"allow-transfer" ACL from the options or view.
+			[RT #38310]
+
 4031.	[bug]		named-checkconf -z failed to report a missing file
 			with a hint zone. [RT #38294]
 
diff --git a/bin/named/server.c b/bin/named/server.c
index 113b1259c4..8c322c18fb 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -2258,16 +2258,19 @@ create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
 	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
 	dns_zone_setnotifytype(zone, dns_notifytype_no);
 	dns_zone_setdialup(zone, dns_dialuptype_no);
-	if (view->queryacl)
+	if (view->queryacl != NULL)
 		dns_zone_setqueryacl(zone, view->queryacl);
 	else
 		dns_zone_clearqueryacl(zone);
-	if (view->queryonacl)
+	if (view->queryonacl != NULL)
 		dns_zone_setqueryonacl(zone, view->queryonacl);
 	else
 		dns_zone_clearqueryonacl(zone);
 	dns_zone_clearupdateacl(zone);
-	dns_zone_clearxfracl(zone);
+	if (view->transferacl != NULL)
+		dns_zone_setxfracl(zone, view->transferacl);
+	else
+		dns_zone_clearxfracl(zone);
 
 	CHECK(setquerystats(zone, view->mctx, statlevel));
 	if (db != NULL) {
diff --git a/bin/tests/system/emptyzones/clean.sh b/bin/tests/system/emptyzones/clean.sh
index 13a5e9e147..0f761a1874 100644
--- a/bin/tests/system/emptyzones/clean.sh
+++ b/bin/tests/system/emptyzones/clean.sh
@@ -13,3 +13,4 @@
 # PERFORMANCE OF THIS SOFTWARE.
 
 rm -f ns1/named.conf
+rm -f dig.out.test*
diff --git a/bin/tests/system/emptyzones/ns1/named2.conf b/bin/tests/system/emptyzones/ns1/named2.conf
index 60cc5efd79..ae0e6e2f99 100644
--- a/bin/tests/system/emptyzones/ns1/named2.conf
+++ b/bin/tests/system/emptyzones/ns1/named2.conf
@@ -41,9 +41,14 @@ options {
 		except-from { "goodcname.example.net";
 			      "gooddname.example.net"; };
 	allow-query {!10.53.0.8; any; };
+	allow-transfer { none; };
 };
 
 zone "." {
 	type hint;
 	file "root.hint";
 };
+
+zone "1.10.in-addr.arpa" {
+	type master; file "empty.db";
+};
diff --git a/bin/tests/system/emptyzones/tests.sh b/bin/tests/system/emptyzones/tests.sh
index 755d89d56f..672f9d4055 100644
--- a/bin/tests/system/emptyzones/tests.sh
+++ b/bin/tests/system/emptyzones/tests.sh
@@ -32,4 +32,12 @@ $DIG +vc version.bind txt ch @10.53.0.1 -p 5300 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:check that allow-transfer { none; } works ($n)"
+ret=0
+$DIG axfr 10.in-addr.arpa @10.53.0.1 -p 5300 +all > dig.out.test$n || ret=1
+grep "status: REFUSED" dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 exit $status
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 4e62335577..c34dc65642 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -275,6 +275,12 @@
 	  contacting authoritative servers for the first time.
         </para>
       </listitem>
+      <listitem>
+        <para>
+	  Built-in "empty" zones did not correctly inherit the
+	  "allow-transfer" ACL from the options or view. [RT #38310]
+        </para>
+      </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="end_of_life">