In article ,
Barry Margolin wrote:

> > Because of this, there needs to be an explicit hole punched in the
> > firewall at the master server to allow outgoing connections in the
> > 1024-65535 range. And, at the slave end there needs to be a matching
> > hole to allow in coming connections to those ports (sourced from port
> > 53).

> This is totally wrong. The DNS protocol contains no mechanism like this.

Then explain the difference. DIG works and can transfer the zone using
AXFR, but actual transfers initiated by a BIND slave fail. I've seen
this time and again and the problem is always with the firewall rules.

What is different between the way DIG handles the transfer and how BIND
handles it?