Since, as you say, this has an "operations" context (the integrity of the Internet domain service in realistic danger), it might be appropriate and appreciated for you to detail the steps you and the ISC have taken to resolve these problems in BIND 8.1.1.
I'm happy to help, sure.
Does 8.1.1 validate resource records?
To the extent possible without DNSSEC, yes.
Does it use random query IDs?
In a noncryptorandom way, yes. (With 16 bits it almost doesn't matter.)
My understanding of Kashpureff's attack was that it was of minimal complexity (specifically, that he ripped off some kid's cname-bouncing script). I am therefore concerned at what appears to be the use of his apparently unsophisticated attack as a metric for the security of BIND 8.1.1.
I wrote <URL:ftp://ftp.vix.com/pri/vixie/bindsec.psf> in September of 1995 and presented it at the 5th Usenix Security Symposium in Salt Lake City. Noone in the security field has any right to expect any implementation of DNS to be secure until DNSSEC is widely implemented. I'm sorry if something I said misled you to believe otherwise.