Why is a server with a problem still part of the root zone? And no, this is absolutely not the case for serious operators. Access to production systems is highly regulated.
Yes, highly regulated access with lots of hoop jumping, that's what they said. And there exists a person who has jumped through all the hoops and has that access. And that hoop jumping person ran tcpdump on the root server.
I don't want to make this a personal attack, but it really sounds like you haven't done much work in a real production environment in a high-sec company. There may be a lot of red tape and safeguards in place, but you will always have someone with access to do anything, anywhere. It's the only way to respond to "interesting" incidents.
