> I also tried that successfully. What exactly did you try, and how
> didn't it work?

I figured it out, and you're right, it does work. I had the wrong fake
nameservers which explains my original results

> No, the presence of an A record simply means the attack is not
> effective until the A record expires (the attack itself succeeds
> anytime unless the server also caches www.cnn.com./NS, which is very
> unlikely). When "it gets renewed again", the server is already
> poisoned with the forged NS, and it will be poisoned with a forged A
> record by the forged NS.

Now if only there were a way not to cache answers to questions we
never asked...