diff -urN pdns-2.9.20.orig/pdns/packethandler.cc pdns-2.9.20/pdns/packethandler.cc
--- pdns-2.9.20.orig/pdns/packethandler.cc	2006-03-15 19:29:38.000000000 +0100
+++ pdns-2.9.20/pdns/packethandler.cc	2006-09-19 13:02:39.000000000 +0200
@@ -479,6 +479,9 @@
   return RCode::NoError;
 }
 
+#define SERIAL_WRAP 4294967296
+#define SERIAL_MAX_INCREMENT 2147483648
+
 int PacketHandler::processNotify(DNSPacket *p)
 {
   /* now what? 
@@ -504,6 +507,7 @@
   }
 
   uint32_t theirserial=0;
+  uint64_t increment=0;
 
   /* to quote Rusty Russell - this code is so bad that you can actually hear it suck */
   /* this is an instant DoS, just spoof notifications from the address of the master and we block  */
@@ -514,13 +518,22 @@
     L<<Logger::Error<<"Unable to determine SOA serial for "<<p->qdomain<<" at "<<p->getRemote()<<endl;
     return RCode::ServFail;
   }
-	
 
-  if(theirserial<=di.serial) {
+  if (theirserial<=di.serial) {
+    increment = SERIAL_WRAP;
+  }
+  increment += theirserial - di.serial;
+
+  if(increment<0) {
     L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from master "<<p->getRemote()<<", we are up to date: "<<
       theirserial<<"<="<<di.serial<<endl;
     return RCode::NoError;
   }
+  else if (increment>SERIAL_MAX_INCREMENT) {
+    L<<Logger::Error<<"Received NOTIFY for "<<p->qdomain<<" from master "<<p->getRemote()<<", increment too big: "<<
+      increment<<">"<<MAX_SERIAL_INCREMENT<<endl;
+    return RCode::NoError;
+  }   
   else {
     L<<Logger::Error<<"Received valid NOTIFY for "<<p->qdomain<<" (id="<<di.id<<") from master "<<p->getRemote()<<": "<<
       theirserial<<" > "<<di.serial<<endl;