http://www.isc.org/index.pl?/sw/bind/bind-security.php - A weakness in the DNS protocol could lead to DNS poisoning of caching recursive name servers. This affects all non-DNSSEC protected domains. Newer versions of BIND utilize Query Port Randomization for BIND 9 which helps to mitigate the problem, but is not a full solution. The only proven solution to protect your domain from this attack is to implement DNSSEC on your authoritative name servers. It is recommended that we investigate DNSSEC and work its deployment into our schedule. Until then, we should look into updating our version of BIND to 9.3.5, 9.4.3, 9.5.0b2 or later when released.