The 3.0 documentation for catalog zones says the following: «The difference is that standard DNS queries to a catalog zone are answered with REFUSED as though the zone doesn’t exist, unless querying over TCP from an address with transfers enabled by ACL.»
This seems like an odd requirement, and it breaks interoperability with other vendors' authoritative servers. BIND, for example, does not send the SOA check for a zone transfer over TCP, and so it's impossible to use a Knot primary and BIND secondary with catalog zones. Is there some way to work around this? --