You've two options in your master's BIND config for a given zone:
notify yes
- will send notifications to all of the published NS records for the domain.
notify explicit
- will send notifications only to those IPs listed in the also-notify
configuration.
In either case, the slaves must be configured with allow-notify
that accepts these notifications from the master's IP.
Once it accepts a NOTIFY, the slave then sends an IXFR or AXFR request back to the master. If the master is 'hidden' (ie: not published as an NS record for the domain), then this doesn't matter. The slaves have to be configured with the master's IP directly, so they should know where to send the request.
So long as the master's firewall allows the requests in from the slaves and the master is configured to allow zone transfers, then the salves can retreive their configuration. (This is the part you have to lock down to prevent unauthorized name servers scraping your zone files)