While this security vulnerability is rated as "medium" risk, this is because it is not currently a risk for many BIND users. For users who have DNSSEC validation turned on, this bug is a SEVERE risk and upgrading to the newly patched code is imperative.
This problem only affects nameservers that allow recursive queries and are performing DNSSEC validation on behalf of their clients. It is unlikely to be encountered by most DNSSEC-validating nameservers because queries that might induce a nameserver to exhibit this behavior would not normally be received with CD in combination with DO. We are not aware of any (client) stub resolvers that do this; however, at least one other DNS server implementation has been observed crafting queries in this way when forwarding.
BIND 9 users should upgrade to one of the following: 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2. There are no fixes available for BIND versions 9.0 through 9.3, as those releases are at end-of-life, the ISC said.