...
Dima
fed up his ears with named's chronic inability to filter out bogus
additional records
I have done, algorithmically, everything that can be done at that level.
At this point we are going to have to wait for DNSSEC or some other wire
protocol change. If you have suggestions to the contrary I would like
to hear them. (And if you have money to pay for BIND improvements I would
like to hear about that, too.)