Unapproved AXFR?

[Jim Reid]

    >> Let's assume for a moment that, by allowing zone transfers,
    >> there will eventually be one or more name servers that have, in
    >> fact, transfered one or more of your authoritative zones. Since
    >> you haven't configured that zone with associated NS entries for
    >> the server in question, they will not be receiving DNS Notify
    >> announcements from you as to changes. Further, since that name
    >> server actually has a copy of your zone, TTL will not expire
    >> out cached entries on that server.

I don't think this is a strong enough justification for restricting
zone transfers either, even though keeping an eye on stealth and slave
servers is a Good Thing. What if the remote name server was configured
to be authoritative for a completely bogus version of your zone? The
effect's the same - that name server is telling lies about your domain
- no matter what you're doing to control who's allowed to perform zone
transfers.