try with IP

nsd.conf.5.in

@@ -821,19 +821,19 @@ AXFR/IXFR on update. A port number can be added using a suffix of @number,
 for example 1.2.3.4@5300. The specified key is used during AXFR/IXFR. If
 tls-auth-name is included, the specified tls-auth clause will be used to
 perform authenticated XFR-over-TLS.
-.LP
+.IP
 If the AXFR option is given, the server will not be contacted with
 IXFR queries but only AXFR requests will be made to the server. This
 allows an NSD secondary to have a primary server that runs NSD. If
 the AXFR option is left out then both IXFR and AXFR requests are
 made to the primary server.
-.LP
+.IP
 If the UDP option is given, the secondary will use UDP to transmit the IXFR
 requests. You should deploy TSIG when allowing UDP transport, to authenticate
 notifies and zone transfers. Otherwise, NSD is more vulnerable for
 Kaminsky\-style attacks. If the UDP option is left out then IXFR will be
 transmitted using TCP.
-.LP
+.IP
 If a tls-auth-name is given then TLS (by default on port 853) will be used
 for all zone transfers for the zone. If authentication of the primary, based on
 the specified tls-auth authentication information, fails the XFR request will