[yyin]

"The fact that djbdns doesn't use BIND code is not really relevant."

It is to me.

It's true that in this case it's not what mitigates this vulnerability. Although it has certainly mitigated many others over the years and, sadly, probably will do so a few more times in the future. There's just no getting rid of the BIND legacy.

Correct me if I am wrong, but using a local dnscache and the fact that dnscache does not implement ENDS0 should be enough to mitigate this one.

I have been running a local tinydns root.zone and dnscache for many years. Really like the software.