Should we allow DNS zone transfer to root-servers and parents zone NS servers?

Question

I never found any reference to this in example set-ups, including those from the Bind ARM.
Nevertheless, I noticed my authoritative server received transfer requests from IPs — not their names — that were actually part of some root-servers' set — the DNS root.
I was about to allow such transfers in my configuration and thought about double checking.

If I'm right, the root will only answer for the gTLDs, and then the TLDs only for their respective next level domains — delegations. But, if I understand the hierarchical design of DNS, it's up to each server to provide all the information it has rather than providing the strict minimum and referring the client into the iterative process. So why not, a root server could wish to be able to answer about my zones… that would alleviate my own servers.

So, first of all, why does a root server (seem to) ask for my zones?
Can this actually be an attack?

Or, if that is OK, remains the risk that such a server — root or TLD's — will allow transfers for the zones it handles while this may not be our policy — don't trust the big fish to always manage perfectly its settings.

I guess we could feel differently depending on if we have already authenticated the zones with DNSSEC, as trusting the root for DNSSEC signatures is not just equivalent to trusting the root for the whole zone content.

And by the way, if we allow the transfers, we should also send them notifications on modifications.

*I feel this question should also have the tags *
AXFR, zone-transfer & root-servers

EDIT (here is the clue):
I was going from the log lines like

20-Jan-2016 20:33:30.581 security: error: client 192.134.4.83#51264: zone transfer 'MyZone.info/AXFR/IN' denied

so

dig +noall +answer +authority -x 192.134.4.83 @a.in-addr-servers.arpa.
192.in-addr.arpa.       86400   IN      NS      y.arin.net.
[...]

dig +noall +answer +authority -x 192.134.4.83 @y.arin.net.
134.192.in-addr.arpa.   172800  IN      NS      ns3.nic.fr.
[...]

dig +noall +answer -x 192.134.4.83 @ns3.nic.fr.
83.4.134.192.in-addr.arpa. 172800 IN    PTR     zonemaster.rd.nic.fr.

dig +noall +authority SOA zonemaster.rd.nic.fr. @ns3.nic.fr.
rd.nic.fr.              3600    IN      SOA     ns2.rd.nic.fr. hostmaster.nic.fr. 2015111706 21600 3600 3600000 3600

And well…
I did on those dates play with online DNS checkers, including the French TLD's zonemaster.fr. Quite a detailed one, by the way.

So the AXFR request was just part of the tests they run. :-)

My mistake.
Thanks for your answers.

Answer 1

Well, actually...

Conceivably it might be that at least one root name server (say, for the sake of argument, that it'd be named L) is actually a set of hundreds of servers distributed all over the world. And it might be that some entity is interested in testing the setups of DNS zones, and that this entity might have access to this set of machines. It would then be pretty convenient to use those machines to run tests from, since that would give information about how things work from various different places. And, also, one of the tests might be to send an AXFR query not to actually get the information, but to see if it will be allowed or denied.

Or so I might have heard.

Answer 2

For the most part, while I would agree with the sentiment about not trusting the big fish to always manage their settings. Since there is really no (direct) profit available from running DNS (let's ignore OpenDNS/Google etc). I have always believed that the root domain servers are very likely run by very very geeky DNS guys who are very adept at what they do. Simply because it would be so catastrophic to the internet at large if these servers are badly managed. I think generally you can trust the core network stuff, because management is kept away from it!

Saying that, there is no reason that a root zone server would be requesting a AXFR from an authoritative server of a domain. These are very busy machines (clusters) imagine the additional strain that randomly requesting zone transfers would have. There is simply no logical reason that this would happen. Hence I would be almost certain that this is some sort of attack.

The only servers that need AXFR access is secondary zone servers, everything else can use the standard DNS protocols, like they're meant to!