Has DNS yet removed the possibility of an ISP front-running replies for outside DNS? For example, you want to see HN, but Comcast would rather you see HN through their ad-injecting proxy - their systems can see your DNS query and reply with the proxy.
Seems like encryption and signing would help here as well.
Fixed is much too strong a word. Mitigated is more descriptive. From your link:
> This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names.
Nah, they'd be able to use a much more surgical approach because they wouldn't need to guess the txid. They can just spool off packets that match what they're looking for and respond to them themselves instead of sending them along to 8.8.8.8 or whoever.
Seems like encryption and signing would help here as well.