The focus of the presentation is on using the forwarder to poison the recursive cache, but my take from a quick skim of the presentation is that plenty of damage could still be done just by abusing the improper bailiwick checks on a non-conditional forward resolver.<p>I definitely need to give the paper a closer read. I may be missing a detail that mitigates the risk in that scenario.