A BIND9 nameserver is configured with 'allow-transfer { none; };' but a secondary nameserver needs to receive zone transfers. What change must be made on the master?
allow-transfer specifies which servers are allowed to request zone transfers.
Why this answer
The 'allow-transfer' directive on the master nameserver controls which hosts are permitted to request zone transfers (AXFR/IXFR). Setting it to 'none;' blocks all transfers, so to allow a secondary to receive the zone, you must explicitly list the secondary's IP address in the 'allow-transfer' statement on the master. This is the direct and necessary change to enable zone transfers to that specific slave.
Exam trap
The trap here is that candidates confuse the slave-side 'masters' directive or the notification mechanisms ('notify', 'also-notify') with the actual access control needed on the master to permit the zone transfer itself.
How to eliminate wrong answers
Option A is wrong because 'masters' is a slave-side directive that tells the secondary where to request the zone from; it does not change the master's access control. Option C is wrong because 'notify yes;' is a master-side directive that sends NOTIFY messages to slaves when the zone changes, but it does not override the 'allow-transfer' restriction; the transfer itself will still be denied. Option D is wrong because 'also-notify' specifies additional IPs to send NOTIFY messages to, but like 'notify', it does not grant transfer permission; the secondary must still be allowed by 'allow-transfer'.