Regarding security holes in BIND: If you've got enough hardware to do it, it's best to keep the DNS server outside your firewall. That way BIND bugs won't bite anything but the outward-facing DNS server.