A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.

So, comprehensively spoof DNS. I'll bet governments love this one, just like the last big DNS bug. Which means it won't get fixed; they'll deliberately keep the roots out of date.