In article ,
Mark Jeftovic wrote:

> What is the difference between doing an AXFR or IXFR from the command
> line using dig, and then having bind9 timeout on the refresh when it
> tries to do it in production?


My understanding is thus:

The difference is that when the slave BIND server issues the AXFR or
IXFR, it then closes the connection instead of leaving the connection
open and waiting for a response (which is what happens with dig).

Because of this, there needs to be an explicit hole punched in the
firewall at the master server to allow outgoing connections in the
1024-65535 range. And, at the slave end there needs to be a matching
hole to allow in coming connections to those ports (sourced from port
53).

If you don't do this you will tend to see the transfers time out, just
as you are seeing.