These bogus servers appeared to be providing correct responses, so what do you think the people running these bogus root servers got out of it?

Perphaps redirects of just a handful of sites for some reason?

Some of the activity could be entirely innocent. For example, if you're an ISP, answering queries on the old address would reduce traffic. Other sites may do it to increase reliability and with no intention of the route becoming public.

10 years ago, there were a few parties offering your own TLD for US$500 per year or more. (This is trivial to configure within BIND.) Unfortunately, it only worked if you used specific name servers. For a site wanting its own intranet TLD, it would be trivial to configure if they used the default name server addresses and therefore any change of root server address could cause any number of sites to inadvertently broadcast routes.

Highlighting these "rogue" servers could be a ploy to discourage the use of autonomous root servers. ICANN is keen to note that any fragmentation of DNS threatens the stability of teh iNterweb, or somesuch tosh. However, in this case, ICANN's decision to move the address of a root server was very badly publicised and will cause ongoing problems for decades.

Thanks Dean. Interesting.

On a side note it was great to meet you at the TC event at the Festival Hall last week.

There's nothing stopping them from providing one incorrect response and everything else correct.

Also, they get to know which domain names are requested and how often.