Over on the IETF namedroppers mailing list there is a discussion about DNSSEC and UDP fragmentation. See this thread, for example. Since the OARC Reply Size Test has been going for a couple of months now, I thought maybe it would have enough data for a decent analysis. Here's what I found: The sample isn't quite as large as I'd like. Only about 1650 unique client addresses tested so far. The bar plots show histograms of the number of clients (on y-axis) receiving certain maximum reply sizes (x-axis). Each plot is for a different advertised EDNS receive buffer size. Note that the 512 data also includes clients that didn't send any EDNS information. Normally the Reply Size Test utility won't return responses larger than the advertised buffer size. However, in the 512 data you can see a few counts around 4000. This can happen for one of two reasons: first, a clever user can "trick" the utility by sending queries with certain values in the query name. Second, there is a special mode for Nominum CNS, which won't send EDNS information unless it first receives a truncated response. The most interesting data is in the 4096-bytes plot. Most of the clients can receive 4K responses. However, about 20% are limited to 2K or less. The bar just left of 1500 on the x-axis represents clients that cannot receive fragmented DNS responses.