On Sep 22, 2014, at 2:29 PM, Michael Fincham wrote:

Several others replied with information on the responses they saw from their locations, some hovering just below the 500 byte mark and some either side of 200 bytes. It seems there is some inconsistency or "load balancing" going on :)

The key is to ensure that end-customers (and network operators!) don't filter out DNS replies larger than 512 bytes in size, so that they can receive EDNS0 and DNSSEC (which requires EDNS0) replies. I know you know this, just getting it on the record in case anyone is searching the archives trying to troubleshoot similar problems. ;> ---------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön

On Sep 24, 2014, at 12:51 AM, Joe Abley wrote:

Note that for 53/udp transport the 512-byte limit is for the DNS message, and hence doesn't include the UDP and IP headers.

Yes. The things which do this are typically stateful firewalls and so-called 'IPS' systems, which are parsing the DNS message and which typically have some configuration switch equivalent to 'drop all DNS replies larger than 512 bytes', not ACLs on routers matching on overall packet length. ---------------------------------------------------------------------- Roland Dobbins // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön