In addition to source port randomization, one would also like TID (Transaction ID) randomization. Up until now, python-dns provided neither. 2.3.1-4 pulls a patch from the upstream CVS repository that will provide a random TID when packets are created.
The patch does not re-randomize the TID if a packet has to be retried due to timeouts. It also does not randomize the port. The Lenny/Sid kernel will do this for python-dns, but the Etch kernel will not. Upstream is still working on the issue. I expect a new upstream release tomorrow that fully supports TID randomization and another release once the port randomization is coded and tested (it's a rather more complex change). Once both those are in hand, I'll prepare a diff for the security team for Etch.
pgpCI6zMqz2b8.pgp
Description: PGP signature
