This could happen for a few reasons, listed below.
Slave servers have a serial number ahead of the master
Seems to happen when dynamic updates are enabled and can be seen in the logs as
general: info: zone gbmail.me/IN: serial number (2023020108) received from master 192.168.0.195#53 < ours (2023020112)
and confirmed with
secondary:~ # rndc zonestatus gbmail.me | grep serial serial: 2023020112 --- primary:~ # rndc zonestatus gbmail.me | grep serial serial: 2023020108
doing a refresh and retransfer the slaves will synchronise them
secondary:~ # rndc refresh gbmail.me secondary:~ # rndc retransfer gbmail.me secondary:~ # rndc zonestatus gbmail.me | grep serial serial: 2023020108
If this doesn’t work, try deleting the zone on the slave and reloading (or restarting) the server
secondary:~ # rndc delzone gbmail.me secondary:~ # systemctl reload named.service secondary:~ # rndc zonestatus gbmail.me | grep serial serial: 2023020108