I recently failed a PCI compliance scan because of the following:

This DNS server allows unrestricted zone transfers. Attackers may be able to use this information to gain knowledge on the structure of your networks to aid in device discovery prior to an actual attack.

And the suggested solution is as follows:

Reconfigure this DNS server to restrict zone transfers to specific authorized servers only.

I am running a dedicated Linux Centos server.

My understanding is that I have to edit the /etc/named.conf file, which I have done and the the relevant part is as follows:

options {
    acl "trusted" {
        127.0.0.1; 
            xxx.xxx.xxx.001; //this is one of the server's ip's
            xxx.xxx.xxx.002; //this is another server's ip
    };

    allow-recursion { 
        trusted;
    };
    allow-notify { 
        trusted;
    };
    allow-transfer { 
        trusted;
    };
};

I then restarted the named service /etc/rc.d/init.d/named restart and requested a re-scan, which failed again for the same reason.

Am I missing something obvious here?