"That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed"
I only ever managed small DNS servers but the above would require a change in the NS record. This would hose the sub-domain (relative to one of the domains hosted on the vulnerable server) but nothing beyond. Alternatively, a new zone could be imaginably added to the vulnerable server hence allowing spoofing of any domain within the organization, but there is no "advertising itself" element here either. DNS is no BGP. Unless I missed something?