I have HE DNS set up as a slave to my domains - everything is working well except for NOTIFY updates.
I seem to be unable to send NOTIFY updates to ns1.he.net - when I do, I get a response back that the update has been refused. It doesn't show up in the BIND logs, but I tripped over this while grokking tcpdump output trying to figure out the problem:
root@namemaster-01:/home/ken# service bind9 restart
root@namemaster-01:/home/ken# 23:29:13.900612 IP 10.10.10.10.23045 > 184.108.40.206.53: 42247 notify [b2&3=0x2400] [1a] SOA? domain1.ca. (83)
23:29:13.935776 IP 220.127.116.11.53 > 10.10.10.10.23045: 42247 notify Refused*- 0/0/0 (26)
23:29:14.392570 IP 10.10.10.10.54136 > 18.104.22.168.53: 26176 notify [b2&3=0x2400] [1a] SOA? domain2.com. (85)
23:29:14.427565 IP 22.214.171.124.53 > 10.10.10.10.54136: 26176 notify Refused*- 0/0/0 (28)
23:29:14.892512 IP 10.10.10.10.32468 > 126.96.36.199.53: 59642 notify [b2&3=0x2400] [1a] SOA? reverseDomain.in-addr.arpa. (104)
23:29:14.926442 IP 188.8.131.52.53 > 10.10.10.10.32468: 59642 notify Refused*- 0/0/0 (47)
IP addresses have been obfuscated, obviously, but the 10.10.10.10 server you see there is set up as the master for all these domains.
Any idea why these NOTIFY messages are being refused? I'm racking my brain trying to figure it out and I'm at a dead end...