So... looks like I forgot to disable zone transfers, which are enabled by default.

found this in /var/log/messages:
Oct 17 12:44:20 #localhost named[2514]: client 176.221.80.21#47253 (ks.id.au): transfer of 'ks.id.au/IN': AXFR started
Oct 17 12:44:20 #localhost named[2514]: client 176.221.80.21#47253 (ks.id.au): transfer of 'ks.id.au/IN': AXFR ended

Tested it myself with:
$dig -t axfr @ns1.ks.id.au ks.id.au
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t axfr @ns1.ks.id.au ks.id.au
; (2 servers found)
;; global options: +cmd

8< snip snip 8<

;; Query time: 2 msec
;; SERVER: 2600:3c01::f03c:91ff:fe50:155d#53(2600:3c01::f03c:91ff:fe50:155d)
;; WHEN: Sun Oct 19 09:59:01 UTC 2014
;; XFR size: 18 records (messages 1, bytes 474)

Fixed by adding this to the zone file:
allow-transfer { "none"; };

Better:
dig -t axfr @ns1.ks.id.au ks.id.au

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t axfr @ns1.ks.id.au ks.id.au
; (2 servers found)
;; global options: +cmd
; Transfer failed.