The remote DNS Server is vulnerable to a remote cache-poisoning attack.
The remote DNS Server is running BIND 9 earlier than 9.4.3-P4, 9.5.2-P1, or 9.6.1-P2. Such versions may incorrectly ad records to its cache from the additional section of responses received during resolution of a recursive client query. This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO).
Upgrade to BIND 9.4.3-P4 / 9.5.2-P1 / 9.6.1-P2 or later.