DNSSEC replies are much bigger than traditional DNS answers.
Typical DNS replies fit into the 512-byte standard UDP DNS packet.
So if they get bigger we need EDNS Support.
To test if your DNS Servers can successfully forward bigger
packages you should use OARC’s DNS Reply Size Test Server:
$ dig +short rs.dns-oarc.net txt
If should then output something like this:
;; Truncated, retrying in TCP mode. rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "184.108.40.206 sent EDNS buffer size 4096" "220.127.116.11 DNS reply size limit is at least 3843" "Tested at 2013-06-18 19:16:29 UTC"
Explanation can be found here