I thought I'd share this to anyone that wants to just force all TYPE=ANY queries over TCP to prevent those from coming from spoofed locations. This is a crude but effective hack. It doesn't stop the system from recursing to find the response. http://puck.nether.net/~jared/bind-9.9.3rc2-tcp-any.patch - Jared