Since, as you say, this has an "operations" context (the integrity of the
Internet domain service in realistic danger), it might be appropriate and
appreciated for you to detail the steps you and the ISC have taken to
resolve these problems in BIND 8.1.1.
I'm happy to help, sure.
Does 8.1.1 validate resource records?
To the extent possible without DNSSEC, yes.
Does it use random query IDs?
In a noncryptorandom way, yes. (With 16 bits it almost doesn't matter.)
My understanding of Kashpureff's attack was that it was of minimal
complexity (specifically, that he ripped off some kid's cname-bouncing
script). I am therefore concerned at what appears to be the use of his
apparently unsophisticated attack as a metric for the security of BIND
I wrote <URL:ftp://ftp.vix.com/pri/vixie/bindsec.psf> in September of 1995
and presented it at the 5th Usenix Security Symposium in Salt Lake City.
Noone in the security field has any right to expect any implementation of
DNS to be secure until DNSSEC is widely implemented.
I'm sorry if something I said misled you to believe otherwise.