BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when encountering all of the following conditions in a managed trust anchor: a key which was previously trusted is now flagged as revoked; there are no other trusted keys available; there is a standby key, but it is not trusted yet This situation results in termination of the named process and denial of service to clients, and can occur in two circumstances: during an improperly-managed key rollover for one of the managed trust anchors (e.g., during a botched root key rollover), or when deliberately triggered by an attacker, under specific and limited circumstances. ISC has demonstrated a proof-of-concept of this attack; however, the complexity of the attack is very high unless the attacker has a specific network relationship to the BIND server which is targeted
Seems like net-dns/bind is pretty much unmaintained... Gentoo has only these vulberable versions in tree since weeks now :-/ @idl0r: Ping? Are you too busy? Or not interested in net-dns/bind anymore?
CVE-2015-1349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1349): named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use.
This issue was resolved and addressed in GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01 by GLSA coordinator Mikle Kolyada (Zlogene).