I'm confused about what all the debate is over HD and I)ruid releasing exploit code.
Every time there is a new vulnerability WITHOUT code everyone wants to debate and bitch about the "real impact" because there is no exploit code. But as soon as exploit code comes out all the bloggers and security people get to do the "Patch Now!" post. SO, if the vulnerability is indeed as serious as people say it is...You should all be kissing HD's and I)ruid's asses for throwing out the ammunition to get the serious vulnerability patched in hurry.
Is the average fresh CEH graduate script kiddie going to pwn the internet with this aux module? Hell no. After they get a domain poisoned, they still have to launch some sort of client side attack, deliver some malware that won't get flagged by AV, secure the box, and manage all the bots. Is that realistic for the average "script kiddie"? I don't think so.
Maybe a real bad guy can make that happen, but to think that "real bad guys" didn't already have this exploit after all the talk about it is just plain asinine.
I'm personally glad i have at least another quarter of job security, this kind of fear mongering is always great for job security and buying new toys.
Richard Bejtlich wrote up a similar but better response to the issue: http://taosecurity.blogspot.com/2008/07/dns-and-cyber-tardis-problem.html
Good writeup on the verizon security blog about the issue and possible scenarios.