I've looked at the code in handle_expired again and have concluded that the code does not present any security risk. The relevant code appears to be a fossil from the Deadwood 1 days, before I added randomization. The code copies over the Query ID from the local connection to the remote connection, makes a DNS header, then calls make_remote_connection to send a packet to the remote DNS server.
make_remote_connection uses set_dns_qid to make the query ID random before sending it to the remote DNS server.
In conclusion: There is no need to make a new Deadwood 2.3 release; the DNS QID is always a random number. However, the cleanup to make it so it doesn't look like the QID isn't random I'm going to keep in the 2.3 tree; should a bug come up in the 2.3 code, I'll also apply this fix.