BIND vulnerability to "additional information" hack

since these questions are common, i've decided to publish the answer on NANOG.

I was under the impression that the vulnerability to bogus "additional
information" was a thing of pre-4.9 BINDs, and that all versions of
4.9.x are safe. What you wrote here implies that only 4.9.5-P1 and
later are actually safe.

there are varying degrees of corruption. to protect against alternic,
you have to run 8.1.1 or 4.9.6. even 4.9.5-P1 is susceptible.

I'm responsible for a number of nameservers on the Internet, at a
number of sites. Most of them are running BIND 4.9.3 and a few are
running 4.9.4 and 4.9.5; none are yet running any version of BIND 8.

4.9.6 is your friend. it's a drop-in, zero insertion force replacement
for 4.9.*. it's not as good in general as 8.1.1, but it protects against
alternic cache pollution as well as 8.1.1, which is as well as we can do
it without full DNSSEC.

Although they will all eventually be upgraded, I'm considering how
urgent it is to upgrade them all now. Are they vulnerable to this hack?