As a final update to this thread: Dan Bernstein acknowledged this bug as a security hole in djbdns and recommends that users install my patch. A copy of his post is available at http://marc.info/?l=djbdns&m=123613000920446&w=2.