Check Point Firewall-1 dropping return Bind 9.2.2.rc1 dns packets

[Stuart Weaver]

We are experiencing problems related to bind 9.2.2.rc1 and
checkpoint firewall-1.

Some of the return dns packets are being partially dropped at the
firewall for a reason unknown to me, others are allowed to pass as expected.
Our firewall admin is telling me that checkpoint is dropping on rule 0, as
if it is no longer in the state table.

When using dig to lookup hostnames against a bind 9 server the initial
request times out but then another immediate request of the same address
shows that the data has been cached, and thus the requested is returned.

If the timeout value used with dig is increased (say to 60) this will all so
produce the desired result.

We only see this problem with the bind 9 servers in the environment.
Machines running queries against bind 4 servers do not suffer this fate.

Can anyone offer suggests to fix or work around this
problem? Thanks.