I’ve three nameserver load-balanced (LB) in three geo locations. Each LB has a front end public IP address and two backend IP address (one for BIND and another for zone transfer) are assigned to actual bind 9 server running Red Hat Enterprise Linux 5.2 as follows:

LB1 - 202.54.1.2 -> Master BIND 9.x
LB2 - 75.54.1.2  -> Slave BIND 9.x
LB3 - 41.54.1.2 -> Slave BIND 9.x

So when a zone transfer initiates from slave server, all I get following errors in master BIND 9 server (LB1):

Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#50968: zone transfer 'example.com/AXFR/IN' denied
Jan  1 14:11:20 ns1 named[5323]: client 75.54.xx.xx#54359: zone transfer 'example.org/AXFR/IN' denied

 

A connection cannot be established, it tries again with the servers main ip or LB2 / LB3 ip. This is a problem because my servers are geo located and load balanced. After, some rearch I came across the documentation and while it suggests other IP’s can be used when the transfer-source fails. You need to place following two directives in options section of named.conf on each slave server:
transfer-source IPv4-address;
transfer-source-v6 IPv6-address;

The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. Also, you need set use-alt-transfer-source to yes so that the alternate transfer sources can be used. In short add following two directives to your named.conf options or server section:

transfer-source 75.54.xx.xx;
use-alt-transfer-source yes;

Here is my sample named.conf file:

 // Slave server ns2.example.com
options
{
        listen-on-v6 { none; };
        listen-on { xx.yy.zz.yy; };
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        dnssec-enable yes;
        recursion no;
        allow-notify { xx.yy.zz.yy; aa.bb.cc.dd; };
        version "NS2 [BIND]";
        transfer-source  75.54.xx.xx  ;
        use-alt-transfer-source yes;

};
logging
{
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
/* KEYS for master server dnssec */
        key "TRANSFER" {
                algorithm hmac-md5;
                secret "YOUR-KEY";
        };

        server aa.bb.cc.dd {
                keys { TRANSFER; };
        };

/*  Get rndc key */
         include "/etc/rndc.key";

/*      Get localhost and other rfc stuff */
        include "/etc/named.rfc1912.zones";

/*      Get root server */
        include "/etc/named.root.hints";

/*      Get our zones */
        include "/etc/named.conf.zones.local";

Finally, restart named:
# named-checkconf -t /var/named/chroot/ && rndc reload
OR
# rndc reloaddocument.currentScript.parentNode.insertBefore(s, document.currentScript);