I receive DNS responses > 500 bytes every day (reported by PIX firewall). So it is an issue, no matter wgat is recomended in RFC.
And you most probable have EDNS clients (nameservers) inside your firewall making EDNS queries which return EDNS responses that are bigger than 512 bytes. EDNS has been standards track for over 5 years now. The majority of the nameservers in the world talk EDNS between themselves and have been for several years now. Only a few queries caused the EDNS response to exceed 512 bytes. With the introduction of the AAAA records for A.GTLD-SERVERS.NET and B.GTLD-SERVERS.NET any EDNS referral from the root servers for COM/NET now exceeds 512 bytes (520 minimum). A plain DNS referral to COM/NET is 509 bytes so any referal for an name longer than xx.com is dropping glue records for the COM/NET servers. The correct thing to do is to fix your firewall to handle the EDNS responses. Mark RFC 2671: Extension Mechanisms for DNS (EDNS0) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org