Initial BIND 9.9.2 RPZ xfr (spamhaus) failing with "failed to connect: timed out" ?

Fri Mar 8 00:02:25 UTC 2013

hi,

i've installed

 named -v
  BIND 9.9.2-rpz+rl.028.23-P1

i've registered my nameserver IP with spamhaus for use of its RPZ list;
i've been approved for access.

i've setup my bind9 conf for slave access to a spamhaus RPZ

	...
	acl rpz4_spamhaus     { 199.168.90.51; 199.168.90.52;
	199.168.90.53; };
	masters rpz4_spamhaus { 199.168.90.51; 199.168.90.52;
	199.168.90.53; };
	...
	  channel bind_rpzlog {
	    file "/var/log/bind-rpz.log" versions 10 size 5m;
	    print-time yes;
	    print-category yes;
	    print-severity yes;
	    severity debug;
	  };
	...
	  category rpz           { bind_rpzlog;    };
	...
	view "internal" {
	...
	response-policy {
	  zone "drop.rpz.spamhaus.org";
	};
	...
	  zone "drop.rpz.spamhaus.org" IN {
	    type slave;
	    file "/namedb/slave/drop.rpz.spamhaus.org.zone";
	    masters { rpz4_spamhaus; };
	    allow-query { localhost; };
	    allow-transfer { rpz4_spamhaus; };
	    request-ixfr yes;
	    notify no;
	  };
	...

Bind launches initially with no errors, but xfer log eventually reports:

	...
	07-Mar-2013 13:26:25.657 xfer-in: error: transfer of
	'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.51#53:
	failed to connect: timed out
	07-Mar-2013 13:26:25.657 xfer-in: info: transfer of
	'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.51#53:
	Transfer completed: 0 messages, 0 records, 0 bytes, 7.010 secs
	(0 bytes/sec)
	07-Mar-2013 13:27:17.673 xfer-in: error: transfer of
	'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.52#53:
	failed to connect: timed out
	07-Mar-2013 13:27:17.673 xfer-in: info: transfer of
	'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.52#53:
	Transfer completed: 0 messages, 0 records, 0 bytes, 7.014 secs
	(0 bytes/sec)
	07-Mar-2013 13:28:09.689 xfer-in: error: transfer of
	'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.53#53:
	failed to connect: timed out
	07-Mar-2013 13:28:09.689 xfer-in: info: transfer of
	'drop.rpz.spamhaus.org/IN/internal' from 199.168.90.53#53:
	Transfer completed: 0 messages, 0 records, 0 bytes, 7.014 secs
	(0 bytes/sec)
	...

the RPZ log @ /var/log/bind-rpz.log is created on bind start, but is
completely empty.

if i

  rndc -k /usr/local/etc/named/keys/rndc-key retransfer
  drop.rpz.spamhaus.org

logs show only

 ==> /var/log/bind-main.log <==
  07-Mar-2013 13:58:43.576 general: info: received control channel
  command 'retransfer drop.rpz.spamhaus.org'

but nothing improves/changes.

I've no idea as to why the 'failed to connect' message.  As an obvious
result, no local zone file is created/written.

Where should I start looking/debugging for the cause of this failed
transfer?  Any other hints?

Thanks!

-pg