DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers.
Problem description
If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag.
Impact
If a client can send such queries to a server, it can exploit this problem to mount a cache poisoning attack, seeding the cache with unvalidated information.
Original advisory and solution
FreeBSD-SA-10:01.bind