Verisign Countermeasures - BIND and djbdns patches

I'm collecting countermeasures to the verisign wildcard DNS records
at Currently there are
patches for BIND 9.2.2 and djbdns (not authored by myself) and a
Linux userland/netfilter program that rewrites DNS packets (which is).

If anyone has other patches/countermeasures I'm happy to maintain a list
of links at the above URL.

Patch for Bind 8.4.1 -
Quick and dirty.

Very early patch for pdns_recursor (GPL & everything) below. I'll work up
something more permanent, perhaps tonight.