Looking at syslogs of our new slave dns servers, I saw a lot of:
ns3 named: zone example.com/IN: refresh: could not set file modification time of '/var/lib/bind/example.com.hosts': permission denied
(example.com instead of real domain or reverse domain).
And indeed perms of files that got synced first were: -rw-r--r-- 1 root root
while files added on master dns later were: -rw-r--r-- 1 bind bind
Finally some were: -rw-rw-r-- 1 root bind
I fixed it so that all are: -rw-r--r-- 1 bind bind
with: chown -R bind:bind /var/lib/bind chmod g-w /var/lib/bind
That solved the syslogs.