securing DNS

in Security+
I was reviewing some info on sec+ and ran across a question about securing DNS servers.
The question was something to the degree of what is the best method to secure DNS servers?
and i was torn between 2 of the answers
One was to the effect of only allowing encrypted zone transfers with secondary dns servers.
And the other
Turning off all services besides DNS on the DNS server.
Questions like this that have 2 correct answers make the test difficult. I understand the "Choose the BEST" but i second guess myself with this type of question.
I know that with all servers its best to disable all unused services. But then when i see this question i automatically assume that the machine has already had this done to it and look for the answer that actually has something to do with securing DNS.
Well any input from any of you cissp or sec+ people would be nice.
The question was something to the degree of what is the best method to secure DNS servers?
and i was torn between 2 of the answers
One was to the effect of only allowing encrypted zone transfers with secondary dns servers.
And the other
Turning off all services besides DNS on the DNS server.
Questions like this that have 2 correct answers make the test difficult. I understand the "Choose the BEST" but i second guess myself with this type of question.
I know that with all servers its best to disable all unused services. But then when i see this question i automatically assume that the machine has already had this done to it and look for the answer that actually has something to do with securing DNS.
Well any input from any of you cissp or sec+ people would be nice.
Comments
What study material are you using? Any sec+ book or docs about securing DNS will (should) mention this.
Real world DNS servers aren't necessarily secured this way. Rather, recursion is disabled, services are disabled, zone transfers are defined by IP etc
I would have to say I would choose disable all services. Also by viewing a zone transfer, it doesn't really put the server at risk any more than it does the rest of the network.
I hate Security+ questions!
Cheers