Don't do AXFR unless auth-sec-servers is set.

src/auth.c

@@ -375,8 +375,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	      log_query(F_RRNAME | F_AUTH, zone->domain, NULL, "<SOA>");
 	    }
       	  else if (qtype == T_AXFR)
-	    {
-	      if (daemon->auth_peers)
 	    {
 	      struct iname *peers;
 	      
@@ -391,7 +389,8 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		if (sockaddr_isequal(peer_addr, &peers->addr))
 		  break;
 	      
-		  if (!peers)
+	      /* Refuse all AXFR unless --auth-sec-servers is set */
+	      if ((!peers && daemon->auth_peers) || !daemon->secondary_forward_server)
 		{
 		  if (peer_addr->sa.sa_family == AF_INET)
 		    inet_ntop(AF_INET, &peer_addr->in.sin_addr, daemon->addrbuff, ADDRSTRLEN);
@@ -403,7 +402,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 		  my_syslog(LOG_WARNING, _("ignoring zone transfer request from %s"), daemon->addrbuff);
 		  return 0;
 		}
-		}
 	       	      
 	      soa = 1; /* inhibits auth section */
 	      ns = 1; /* ensure we include NS records! */