BIND9 sends notify for slave zones, but why?

Question

Our BIND9 installations (on 141.42.1.11, 2.22, 3.33 and 196.196) are slaves for the zone vdi.charite.de:

  29-Dec-2016 14:28:31.082 general: zone vdi.charite.de/IN: notify from 10.32.32.51#53930: serial 13301424
  29-Dec-2016 14:28:31.085 general: zone vdi.charite.de/IN: Transfer started.
  29-Dec-2016 14:28:31.144 general: zone vdi.charite.de/IN: transferred serial 13301424

And, although all of our internal DNS servers are merely slaves for the vdi zone, we're still seeing NOTIFY from the other slave servers:

  29-Dec-2016 14:28:31.623 general: zone vdi.charite.de/IN: refused notify from non-master: 141.42.2.22#36708
  29-Dec-2016 14:28:31.637 general: zone vdi.charite.de/IN: refused notify from non-master: 141.42.3.33#59869
  29-Dec-2016 14:28:31.639 general: zone vdi.charite.de/IN: refused notify from non-master: 141.42.196.196#37013

Why? How can I turn this off?

The zone is defined:

   zone "vdi.charite.de"            {type slave; file "vdi.charite.de"; masters { 10.32.32.51; 10.47.120.201; }; };

and our options include:

   notify yes; // send DNS NOTIFY

Answer 1

That is expected behavior, From BIND 9 Administrator Reference Manual:

page 15:

DNS NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone’s data.

but also

As a slave zone can also be a master to other slaves, named, by default, sends NOTIFY messages for every zone it loads. Specifying notify master-only; will cause named to only send NOTIFY for master zones that it loads.

and in more detail on page 88:

notify

If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see Section 4.1. The messages are sent to the servers listed in the zone’s NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option.

If master-only, notifies are only sent for master zones.