Hi,
I'm running bind 9.3.4.2 on four debian etch servers. Here's the setup :
Two servers are in a private network, server1 is primary master and
server3 is the slave, two are in an external network, server2 is slave of
server1 above and master for server4 (which is the external slave). All
updates of zones are made on server1, and propagated to the other servers
via a TSIG authentication, following this scheme : S1 sends notify to S3
and S2. Then S2 notifies S4.

The problem : for one of my zones (I have several), S4 doesn't update
correctly. For example, if I increment the serial and comment out a dns
record, then issue a /etc/init.d/bind9 restart, S2 and S3 update correctly
but S4 is one update late, eg it is 20070518O1 instead of 2007051802, and
so on 02 instead of 03, 03 instead of 04...

The only way to get it working is restart bind from S1 TWICE, which is
rather unexpected. For my other zones everything runs well with one
restart only.

Of course, there are no error messages. S2 sends notify to S4, S4 says
'zone is up to date', but doesn't update.

Would you have any idea of what might be going wrong ?

Thanks for your help.

PS : this is not a firewall problem : there is one fw between S1 and S2
but NOT between S2 and S4.