The remote host is missing an update to bind9 announced via advisory DSA 1703-1.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201703-1

It was discovered that BIND, an implementation of the DNS protocol suite, does not properly check the result of an OpenSSL function which is used to verify DSA cryptographic signatures. As a result, incorrect DNS resource records in zones protected by DNSSEC could be accepted as genuine. For the stable distribution (etch), this problem has been fixed in version 9.3.4-2etch4. For the unstable distribution (sid) and the testing distribution (lenny), this problem will be fixed soon. We recommend that you upgrade your BIND packages.