The Problem

There is a corner case when using split horizon domains on machines with a single interface. When the master issues a notify for a zone update then the slave servers ask to do a zone transfer but the interface they use to do the zone transfer determines which view they will get (probably the internal view). Oh dear. What's worse is that this failure to update can only be seen by anyone accessing the zone via the other view. Oh dear oh dear.

The Solution

TSIGs (of course!).

You will need to create a TSIG key pair per view -- and if you want to be even more precise, a key pair per slave server per view. This latter case comes into play where you might have regional slaves and each region should get a different view.

Then simply limit the access to the views by TSIG. Some careful naming might help here.

options {
 allow-transfer { none; };
};

key master-update-X { ... };

key slaveN-axfr-X { ... };

view X {
 also-notify { slaveN-IP key master-update-X; };
 allow-transfer { { slaveN-IP; }; key slaveN-axfr-X; };
};

options {
 allow-transfer { none; };
};

key master-update-X { ... };

key slaveN-axfr-X { ... };

view X {
 allow-notify { key master-update-X; };
 server master-IP {
  keys { slaveN-axfr-X; };
 };

};