Transferência de zona entre PowerDNS e Bind9

Estou com um problema ao tentar transferir uma zona completa de um servidor PowerDNS para um servidor Bind9. A parte estranha é que existem várias zonas no servidor PowerDNS que servem como um mestre oculto (com um back-end MySQL), mas apenas uma zona está falhando ao ser transferida para o servidor Bind9.

Os dois servidores estão executando o Ubuntu 16.04 LTS. Com:

• Versão Bind9 = 9.10.3.dfsg.P4-8ubuntu1
• Versão do PowerDNS = 4.0.0~alpha2-3build1

A zona escrava Bind9 é configurada assim:

zone "example.net" {
    type slave;
    file "/var/lib/bind/slaves/db.example.net";
    masters {
          10.0.0.1;
    };
};

E a zona DNS do PowerDNS é:

% sudo pdnsutil show-zone example.net
This is a Master zone
Last SOA serial number we notified: 2016050801 == 2016050801 (serial in the database)
Zone is not actively secured
Metadata items: None
No keys for zone 'example.net.'.

% sudo pdnsutil list-zone example.net
example.net.    10800   IN  MX  10 mx1.example.org.
example.net.    10800   IN  MX  50 mx2.example.org.
example.net.    10800   IN  NS  ns1.example.org.
example.net.    10800   IN  NS  ns2.example.org.
example.net.    86400   IN  SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
...

Observe a diferença entre .net e .org nesta saída. E aqui está a saída do PowerDNS no log ao tentar fornecer a zona para o Bind.

May  9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2
May  9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips
May  9 00:44:14 hdns01 pdns[40494]: AXFR of domain 'example.net.' failed: not authoritative

E os logs correspondentes fornecidos por Bind.

May  9 00:44:14 rdns01 named[32973]: zone example.net/IN: refresh: unexpected rcode (REFUSED) from master 10.0.0.1#53 (source 0.0.0.0#0)
May  9 00:44:14 rdns01 named[32973]: zone example.net/IN: Transfer started.
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: connected using 10.0.0.2#55376
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: failed while receiving responses: NOTAUTH
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer status: NOTAUTH
May  9 00:44:14 rdns01 named[32973]: transfer of 'example.net/IN' from 10.0.0.1#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.004 secs (0 bytes/sec)

Portanto, o Bind9 está dizendo que o servidor não é autoritário. Isso é estranho. Então vamos usar dig para deixar as coisas um pouco mais claras.

% dig @10.0.0.1 example.net. SOA          

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @10.0.0.1 example.net. SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47002
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;example.net.           IN  SOA

;; ANSWER SECTION:
example.net.        86400   IN  SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400

;; Query time: 2 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon May 09 00:53:51 CEST 2016
;; MSG SIZE  rcvd: 104

Parece bastante autoritário para mim. Então, depois disso, tentei fazer um AXFR com dig. E surpresa, funciona...

% dig -t axfr example.net @10.0.0.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t axfr example.net @10.0.0.1
;; global options: +cmd
example.net.        86400   IN  SOA ns1.example.org. hostmaster.example.org. 2016050801 28800 7200 604800 86400
...
;; Query time: 73 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Mon May 09 00:56:42 CEST 2016
;; XFR size: 58 records (messages 3, bytes 1952)

Não sei mais onde procurar.

Obrigado pela ajuda.

ATUALIZAR:

Registros de uma captura de pacote:

1   0.000000    10.0.0.2    10.0.0.1    DNS 82  Standard query 0xe0dd SOA example.net OPT
2   0.002902    10.0.0.1    10.0.0.2    DNS 82  Standard query response 0xe0dd Refused SOA example.net OPT
6   0.004506    10.0.0.2    10.0.0.1    DNS 97  Standard query 0x205c AXFR example.net
8   0.006432    10.0.0.1    10.0.0.2    DNS 97  Standard query response 0x205c Not authoritative AXFR example.net

Logs do PowerDNS de um AXFR manual bem-sucedido:

May  9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' initiated by 10.0.0.2
May  9 08:19:51 hdns01 pdns[40494]: AXFR of domain 'example.net.' allowed: client IP 10.0.0.2 is in allow-axfr-ips
May  9 08:19:52 hdns01 pdns[40494]: AXFR of domain 'example.net.' to 10.0.0.2 finished

Arquivo de configuração do PowerDNS:

#################################
# allow-axfr-ips    Allow zonetransfers only to these subnets
#
allow-axfr-ips=127.0.0.0/8,::1,10.0.0.2

#################################
# also-notify   When notifying a domain, also notify these nameservers
#
also-notify=10.20.1.78,10.0.0.2

#################################
# daemon    Operate as a daemon
#
daemon=yes

#################################
# include-dir   Include *.conf files from this directory
#
# include-dir=
include-dir=/etc/powerdns/pdns.d

#################################
# launch    Which backends to launch and order to query them in
#
# launch=
launch=

#################################
# master    Act as a master
#
master=yes

#################################
# setgid    If set, change group id to this gid for more security
#
setgid=pdns

#################################
# setuid    If set, change user id to this uid for more security
#
setuid=pdns

E a parte de configuração do back-end do MySQL dentro do diretório /etc/powerdns/pdns.d/ .

# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql

# gmysql parameters
gmysql-host=127.0.0.1
gmysql-port=
gmysql-dbname=pdns
gmysql-user=MYUSER
gmysql-password=MYPASSWORD
gmysql-dnssec=yes
# gmysql-socket=