I never found any reference to this in example set-ups, including those from the Bind ARM.
Nevertheless, I noticed my authoritative server received transfer requests from IPs — not their names — that were actually part of some root-servers' set — the DNS root.
I was about to allow such transfers in my configuration and thought about double checking.
If I'm right, the root will only answer for the gTLDs, and then the TLDs only for their respective next level domains — delegations. But, if I understand the hierarchical design of DNS, it's up to each server to provide all the information it has rather than providing the strict minimum and referring the client into the iterative process. So why not, a root server could wish to be able to answer about my zones… that would alleviate my own servers.
So, first of all, why does a root server (seem to) ask for my zones?
Can this actually be an attack?
Or, if that is OK, remains the risk that such a server — root or TLD's — will allow transfers for the zones it handles while this may not be our policy — don't trust the big fish to always manage perfectly its settings.
I guess we could feel differently depending on if we have already authenticated the zones with DNSSEC, as trusting the root for DNSSEC signatures is not just equivalent to trusting the root for the whole zone content.
And by the way, if we allow the transfers, we should also send them notifications on modifications.
*I feel this question should also have the tags *
AXFR, zone-transfer & root-servers
EDIT (here is the clue):
I was going from the log lines like
20-Jan-2016 20:33:30.581 security: error: client 192.134.4.83#51264: zone transfer 'MyZone.info/AXFR/IN' denied
so
dig +noall +answer +authority -x 192.134.4.83 @a.in-addr-servers.arpa.
192.in-addr.arpa. 86400 IN NS y.arin.net.
[...]
dig +noall +answer +authority -x 192.134.4.83 @y.arin.net.
134.192.in-addr.arpa. 172800 IN NS ns3.nic.fr.
[...]
dig +noall +answer -x 192.134.4.83 @ns3.nic.fr.
83.4.134.192.in-addr.arpa. 172800 IN PTR zonemaster.rd.nic.fr.
dig +noall +authority SOA zonemaster.rd.nic.fr. @ns3.nic.fr.
rd.nic.fr. 3600 IN SOA ns2.rd.nic.fr. hostmaster.nic.fr. 2015111706 21600 3600 3600000 3600
And well…
I did on those dates play with online DNS checkers, including the French TLD's zonemaster.fr. Quite a detailed one, by the way.
So the AXFR request was just part of the tests they run. :-)
My mistake.
Thanks for your answers.