The remote DNS Server is vulnerable to a remote cache-poisoning attack.
The remote DNS Server is running Bind 9 earlier than 9.4.3-P5, 9.5.2-P1, or 9.6.1-P3. Such versions are potentially affected by a remote cache-poisoning attack. An error exists in the DNSSEC NSEC/NSEC3 validation code that could cause bogus NXDOMAIN responses to be cached as if they had validated correctly.
Upgrade to BIND 9.4.3-P5, 9.5.2-P2, 9.6.1-P3, or later.