From my syslog:
May 5 00:48:55 snarked named: client 2001:470:47:13::2#14313 (x.x.x.x.x.x.x.x.0.7.4.0.18.104.22.168.ip6.arpa): zone transfer 'x.x.x.x.x.x.x.x.0.7.4.0.22.214.171.124.ip6.arpa/AXFR/IN' denied
I'm getting this about every 30 seconds (with varying source port numbers; actual zone masked for public posting, but it's my tunnel #2 allocation).
HE's whois service shows that this is an HE internal address, not a tunnel delegation.
AXFR access is permitted to ns1.he.net (126.96.36.199 and 2001:470:100::2) so that the DNS service can pick it up for "secondary" service.
From the DNS service page about the zone:
Domain name x.x.x.x.x.x.x.x.0.7.4.0.188.8.131.52.ip6.arpa
Master(s) 2001:470:... (In my tunnel#1 allocation as that's where my DNS server is)
Last successful check 2012-05-04 12:47:07 (176038 seconds ago.)
Last status change 2012-05-04 12:47:46
As 2001:470:47:13::2 is not the address of one of your 5 name servers, what is its purpose for wanting the zone?
PS: The zone in question is not (yet) DNSSEC signed. It will be signed when next updated.