From my syslog:
QuoteMay 5 00:48:55 snarked named[903]: client 2001:470:47:13::2#14313 (x.x.x.x.x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa): zone transfer 'x.x.x.x.x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa/AXFR/IN' denied
I'm getting this about every 30 seconds (with varying source port numbers; actual zone masked for public posting, but it's my tunnel #2 allocation).
HE's whois service shows that this is an HE internal address, not a tunnel delegation.
AXFR access is permitted to ns1.he.net (216.218.130.2 and 2001:470:100::2) so that the DNS service can pick it up for "secondary" service.
From the DNS service page about the zone:
QuoteDomain name x.x.x.x.x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa
Type SLAVE
Master(s) 2001:470:... (In my tunnel#1 allocation as that's where my DNS server is)
Last successful check 2012-05-04 12:47:07 (176038 seconds ago.)
Last status change 2012-05-04 12:47:46
As 2001:470:47:13::2 is not the address of one of your 5 name servers, what is its purpose for wanting the zone?
PS: The zone in question is not (yet) DNSSEC signed. It will be signed when next updated.
Looks like a facility-specific machine:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.1.0.0.7.4.0.0.0.7.4.0.1.0.0.2.ip6.arpa domain name pointer ns1-fmt2.he.net.
OK, but as I'm a tunnelbroker user and not in one of your facilities, why does it want to AXFR my zone? It's not one of ns[1-5].he.net nor is it documented to grant it access anywhere....
Ask dnsadmin@he.net ?
I'd guess that this is one of the many ns1.he.net machines or whatever trickery was used to deflect the onslaught of hate against the nameservers.
OK, but that doesn't seem to justify allowing AXFR permssion to that IPv6 address....
Mail sent.
Matter resolved via e-mail. It was a misconfiguration and should have been from 2001:470:100::2.