At the moment, it doesn't seem to bring many benefits, and some important drawbacks.
Reading from the entry on the wikipedia:
Quote:DNSSEC introduces the ability for a hostile party to enumerate all the names in a zone by following the NSEC chain. NSEC RRs assert which names do not exist in a zone by linking from existing name to existing name along a canonical ordering of all the names within a zone. Thus, an attacker can query these NSEC RRs in sequence to obtain all the names in a zone. Although this is not an attack on the DNS itself, it could allow an attacker to map network hosts or other resources by enumerating the contents of a zone.
So unless bind9 or the server we are using has proven support for NSEC3, I would oppose to use it.
By the other hand, changing "allow recursion" to no by default in ispcp would disable any kown problem with DNS poisoning
cheers!