On Thu, Sep 21, 2006 at 10:36:01PM +0100, NetBSD Security-Officer wrote:
> 		 NetBSD Security Advisory 2006-022
> Topic:		BIND recursive query and SIG query processing
> Version:	NetBSD-current:	source prior to September 05, 2006
> 		NetBSD 3.0:		affected
> Severity:	Denial of service
> 
> Solutions and Workarounds
> =========================
> In particular, it is recommended practice, regardless of this
> vulnerability, to accept recursive queries only from local clients who
> would be expected to query this nameserver directly, not from unknown
> Internet sources.  The 'allow-recursion' directive in the options
> section of named.conf should be configured with an appropriate address
> list, as in the following simple example:
> 
> options {
>         directory "/etc/namedb";
>         allow-recursion { 1.2.3.4/24; 127.0.0.1/32; ::1; };
> };

I tried this workaround on NetBSD 3.0 and named refused to stop..

Sep 21 14:46:13 coldsteel named[24397]: /etc/named.conf:40: unknown option 'allow-recursion'

Cheers,

Ben