It's possible to inject cache record during DNSSEC request processing.
vulners.com/securityvulns/securityvulns:doc:22848
vulners.com/securityvulns/securityvulns:doc:23087
vulners.com/securityvulns/securityvulns:doc:23395