The good news is that it only took me about 15 minutes to find and reproduce the bug that was causing the improper resource record rotation. The bad news is that the bug that causes the rotation is one that enables a remote denial of service. Hence, I updated all three supported versions of MaraDNS (1.0, 1.2, and 1.3) last night to fix this bug.
Basically, someone can send a specially crafted DNS packet to the DNS server that will make an authoritative CNAME record not resolve. The workaround to disable this denial of service is to add the following line to the mararc file:
max_ar_chain = 2
The fix is to download MaraDNS 1.0.41/1.2.12.08/1.3.07.04 from the MaraDNS download page or to download MaraDNS 1.2.12.08 from the Sourceforge MaraDNS page
All distributions are strongly encouraged to update to 1.2.12.08, or to 1.0.41 if still using the 1.0 branch of MaraDNS. Please remember, 1.0 users, that non-security bugfixes in MaraDNS 1.0 will no longer be applied after December 21 of this year.
I would like to thank Michael Krieger, whose bug report helped me find and fix this problem.