DNS cache poisoning

In 2007-2008, I researched DNS cache poisoning vulnerabilities, specifically around the predictability of the DNS transaction ID (TRXID/QID). I managed to find practical attacks against several prominent DNS servers, and one major DNS client (Windows).

BIND 9 DNS Cache Poisoning (July 24th, 2007)
CVE-2007-2926, BugTraq ID 25037, CERT VU#252735

BIND 8 DNS Cache Poisoning (and a theoretic DNS cache poisoning attack against the latest BIND 9) (August 27th, 2007)
CVE-2007-2930, BugTraq ID 25459, CERT VU#927905

Windows DNS Server Cache Poisoning (November 13th, 2007)
CVE-2007-3898, BugTraq ID 25919, Microsoft security bulletin MS07-62

OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability (February 6th, 2008)
CVE-2008-1146, CVE-2008-1147, CVE-2008-1148, BugTraq ID 27647 
Errata (March 13th, 2008): 
The original paper mentioned that MacOS X has a particular
implementation bug wherein it always sets seed=0. However, this is
not accurate. the tmp variable changes each time ip_randomid() is
called, and thus it is not guaranteed that seed=0. Nevertheless, it
can be easily shown that seed=0 in about 50% of the key intervals.
This is because at the re-keying time, tmp has probability of around
50% to have its higher 16 bits 0.
So the Mac/Darwin platform remains particularly vulnerable.

PowerDNS Recursor DNS Cache Poisoning (March 31st, 2008)
CVE-2008-1637, BugTraq ID 28517

Microsoft Windows DNS Stub Resolver Cache Poisoning (April 8th, 2008)
CVE-2008-0087, BugTraq ID 28553, Microsoft security bulletin MS08-020