I have HE DNS set up as a slave to my domains - everything is working well except for NOTIFY updates.
I seem to be unable to send NOTIFY updates to ns1.he.net - when I do, I get a response back that the update has been refused. It doesn't show up in the BIND logs, but I tripped over this while grokking tcpdump output trying to figure out the problem:
root@namemaster-01:/home/ken# service bind9 restart
root@namemaster-01:/home/ken# 23:29:13.900612 IP 10.10.10.10.23045 > 220.127.116.11.53: 42247 notify [b2&3=0x2400] [1a] SOA? domain1.ca. (83)
23:29:13.935776 IP 18.104.22.168.53 > 10.10.10.10.23045: 42247 notify Refused*- 0/0/0 (26)
23:29:14.392570 IP 10.10.10.10.54136 > 22.214.171.124.53: 26176 notify [b2&3=0x2400] [1a] SOA? domain2.com. (85)
23:29:14.427565 IP 126.96.36.199.53 > 10.10.10.10.54136: 26176 notify Refused*- 0/0/0 (28)
23:29:14.892512 IP 10.10.10.10.32468 > 188.8.131.52.53: 59642 notify [b2&3=0x2400] [1a] SOA? reverseDomain.in-addr.arpa. (104)
23:29:14.926442 IP 184.108.40.206.53 > 10.10.10.10.32468: 59642 notify Refused*- 0/0/0 (47)
IP addresses have been obfuscated, obviously, but the 10.10.10.10 server you see there is set up as the master for all these domains.
Any idea why these NOTIFY messages are being refused? I'm racking my brain trying to figure it out and I'm at a dead end...