Introduction

Secondary DNS not syncing is a dangerous problem because zone data can look correct on the primary while public resolvers still receive stale answers from secondaries. The usual root cause is a broken transfer path, a serial number that never increments, or a trust rule preventing the secondary from pulling updates. Recovery depends on validating the replication workflow between authoritative servers, not just checking one zone file.

Symptoms

  • DNS changes appear on the primary server but not on secondary name servers
  • Some resolvers return updated answers while others still serve stale records
  • Zone transfer logs show failures, timeouts, or refused requests
  • The issue started after changing IPs, ACLs, firewall rules, or DNS software
  • SOA serial values differ between primary and secondary authorities

Common Causes

  • AXFR or IXFR zone transfers are blocked by ACLs, TSIG issues, or firewall rules
  • The zone serial number did not increment after a record change
  • notify configuration is missing or points to the wrong secondary servers
  • The secondary polls the wrong primary or cannot reach it over the network
  • A hidden primary, provider migration, or split-horizon setup introduced inconsistent zone sources

Step-by-Step Fix

  1. Compare SOA serial numbers on the primary and every secondary to confirm which nodes are out of date.
  2. Verify the primary increments the zone serial when records change and that the updated zone is actually loaded.
  3. Review transfer permissions, TSIG settings, and firewall rules so the secondary is allowed to perform AXFR or IXFR.
  4. Check notify behavior and confirm the primary is signaling the correct secondary endpoints after each change.
  5. Validate the secondary is configured to pull from the right primary IP or hidden-master source.
  6. Inspect DNS server logs on both sides for refused transfers, authentication failures, timeouts, or malformed zone data.
  7. Trigger a manual refresh or transfer after correcting the blocked dependency so you can verify sync recovers.
  8. Query each authoritative server directly to confirm record data and serial values now match.
  9. Document zone-transfer ownership and monitoring so future DNS changes alert you before secondaries drift again.