>> 4. Do you block non-UDP DNS requests or rate-limit requests? > > Yes Why? RFC5966 DNS Transport over TCP - Implementation Requirements You make it very hard for DNSSEC >> 5. Anything else you block/filter on your DNS servers? > > block fragmented packets Why? You then block EDNS0, which DNSSEC uses. (UDP packets up to 4096 bytes, then TCP) /Anders