nsupdate does not honor the operating system's preferred ephemeral port range
While it is a bug in and of itself, IMHO the most compelling reason to fix this problem is that it is causing rare system test failures.
nsupdate may pick a source port number which clashes with a port number assigned to some named instance for listening. This does not trigger an error upon bind() because both nsupdate and named set SO_REUSEADDR for the relevant sockets. The end result is that nsupdate is unable to receive any responses to its queries and thus indicates a timeout.
Another possible symptom of this bug is a named instance refusing to start with an "address already in use" error - which is what happens if it tries to bind() to its configured listening port when some nsupdate process is already bound to that same port (as its source port).