Issue

Bind implements the following configuration option (taken from bind doc):

allow-notify

Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters.
allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement.
It is only meaningful for a slave zone.
If not specified, the default is to process notify messages only from a zone's master.

and it can be set to:

    [ allow-notify { address_match_list }; ]

according to documentation Address Match Lists the address_match_list:

address_match_list = address_match_list_element ;
  [ address_match_list_element; ... ]
address_match_list_element = [ ! ] (ip_address [/length] |
   key key_id | acl_name | { address_match_list } )

can be any of the following:

• an IP address (IPv4 or IPv6)
• an IP prefix (in `/' notation)
• a key ID, as defined by the key statement
• the name of an address match list defined with the acl statement
• a nested address match list enclosed in braces

but in fact allow-notify {} cannot contain:

• a key ID, as defined by the key statement

because it isn't implemented in related code, resp. a TSIG key used for rndc authentication doesn't get passed to routine which could check it and only IP addresses and acl address match lists get compared. It means that machines which are not set to be masters for a zone and not mentioned in allow-notify {} clause are not allowed to notify slave to do a zone transfer and the following message appears in logs:

slave named[1779]: client 192.168.122.68#62440: view localhost_resolver: received notify for zone 'example.com'
slave named[1779]: zone example.com/IN/localhost_resolver: refused notify from non-master: 192.168.122.68#62440