Odd, an nsupdate with ANY on a master bind instance isn't crashing the daemon on a CentOS 5.3 box. CentOS 5.2 seems to be safe too. I would rather not post the dynamic update script here for many reasons.
I tried the iptables on centos 5.3 server but it does not look like the u32 module is in the kernel that I am using. I was able to crash bind though on centos 5.3. The following is the version of bind I was crashing. There is a redhat bug report with links to an updated src rpm that can be used with 5.3. I was not able to crash it after that.
Name : bind Relocations: (not relocatable)
Version : 9.3.4 Vendor: CentOS
Release : 10.P1.el5_3.1 Build Date: Thu 02 Jul 2009 06:42:07 AM CDT
Install Date: Fri 03 Jul 2009 09:24:01 PM CDT Build Host: builder16.centos.org
Group : System Environment/Daemons Source RPM: bind-9.3.4-10.P1.el5_3.1.src.rpm
Size : 2191596 License: BSD-like