OARC warns that Recent increases in DNSSEC deployment are exposing problems with DNS resolvers that cannot receive large responses. They even helpfully provide a test to see if you are compromised:
How To Use
To use the DNS Reply Size Test Server, simply use dig command line tool to issue a TXT query for the name rs.dns-oarc.net:
$ dig +short rs.dns-oarc.net txtYou can test a specific DNS resolver by using the @server feature of dig.
The output should look something like this:
rst.x4001.rs.dns-oarc.net. rst.x3985.x4001.rs.dns-oarc.net. rst.x4023.x3985.x4001.rs.dns-oarc.net. "192.168.1.1 sent EDNS buffer size 4096" "192.168.1.1 DNS reply size limit is at least 4023 bytes"
Here's what the output really looks like, right now:
drink@alexander:~$ dig +short rs.dns-oarc.net txt drink@alexander:~$
The page was created 07-07-2009 at 21:54, discovered by Slashdot 04-30-2010 at 6:37, IPv4 dead by 6:50, and IPv6 dead by 7:38. Since practically nobody is actually using IPv6, we can see that OARC did not take this seriously. Shouldn't the test have been distributed, somehow? Are DNSSEC the only records out there longer than 512b?
Incidentally, using the <blockquote> tag for layout is lazy and wrong. Blockquote is for block quotations. Please try to understand HTML before producing any for public consumption. Hope this helps. Try indenting with a transparent single-pixel shim whose size is set in ems, or by using CSS like you're supposed to.