FYI. There was some question here about whether PowerDNS was vulnerable or not and what it was doing, so I asked Bert Hubert about it. Here is his answer:
And my additional nuance:
By the way - just to nuance things, I'm sure PowerDNS can be spoofed too if
enough effort is thrown into it.
I'm working hard to implement the features that will allow me to state
PowerDNS won't be spoofed "in a million years of trying".
But I'm not there yet