Please add support to Mikrotik DNS the ability to pass EDNS packets (udp > 512 bytes). All the RouterOS boxes I test fail whereas hitting the resolver directly causes a pass.
https://www.dns-oarc.net/oarc/services/replysizetest
Thx,
Sam
How did you test it Sam?
I was having this issue today, but solved it changing the DNS server.
I was using the opendns server because my ISP server gave some
problems a couple of weeks ago. Today I was forced to switch again
at the ISP DNS server because I was not able to access www.google.com
if you have a linux box handy you can run this:
dig +short rs.dns-oarc.net txt
It will give you some diags about packet sizes.
snorris@silver:~/mrtg$ dig +short rs.dns-oarc.net txt
rst.x1220.rs.dns-oarc.net.
rst.x1202.x1220.rs.dns-oarc.net.
rst.x1243.x1202.x1220.rs.dns-oarc.net.
“68.15.4.39 DNS reply size limit is at least 1243 bytes”
“68.15.4.39 sent EDNS buffer size 1280”
Try that against a few servers and see what you get:
“dig @serverip +short rs.dns-oarc.net txt”
sam
Have you increased max-udp-packet-size on your MikroTik router in /ip dns configuration?
Yes Sergejs, I tried to increase the udp packet size
and it looked like at first it solved the problem, but then
it happened again. I guess on that day there were a couple
of things causing the dns problems, server side, client side
who knows what else 
.
After some hours it was back at normal
My current settings for the dns are
max-udp-packet-size=1024
cache-size=8192KiB
Until now no problems
Serejes,
Mikrotik HAS TO change the default from 512 to larger. The root servers will be signed here in a short time and everything related to DNS will get ackward, and cause Mikrotik TONS of support tickets and uproar. Change the default from 512 now before it’s too late.
http://labs.ripe.net:80/content/preparing-k-root-signed-root-zone
“One of the most visible changes that DNSSEC introduces is that DNS replies become bigger. Every resource record set (RRSet) is accompanied by a signature (RRSIG). In many cases, such responses will be bigger than 512 bytes in size”
Sam
DNS responses are sometimes 4096 bytes. However, each individual packet will be only 1500 or whatever your MTU is. You should make the max-udp-packet-size your MTU or larger I assume. I would make it 4096 to account for both packet size and dns reply size. In the next year DNS packets will commonly be > 1024 or more.
Sam
Very helpful tip Sam.
Since I am not using any linux machine in my LAN
is there any way, different from what you described before
to investigate these dns packets? Can MikroTik do that?
Thank you, Toni
you should be able to still run dig on windows:
ftp://ftp.isc.org/isc/bind9/9.6.1-P2/BIND9.6.1-P2.zip
dig is part of the BIND distro, just unzip and move dig to somewhere on your windows box you can run it. same command line syntax should work on windows.
I just tried that and it gave the following answer:
rst.x486.rs.dns-oarc.net.
rst.x454.x486.rs.dns-oarc.net.
rst.x384.x454.x486.rs.dns-oarc.net.
“208.69.34.6 DNS reply size limit is at least 486 bytes”
“208.69.34.6 lacks EDNS, defaults to 512”
Looks like it is within limits, is it?
thats not good, you want > 512. You should be getting > 1024, and even better > 4000.
Sam
The output should look something like this:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
“192.168.1.1 sent EDNS buffer size 4096”
“192.168.1.1 DNS reply size limit is at least 4023 bytes”
I think I got it right now about this test.
So this is testing the max packet size I can receive
and not the max packet size the dns server is sending, right?
Ok, I made the correction, restarted the firewall rule for redirecting
dns requests to the router itself (disabled/enabled) and now I got
the right answer I think:
rst.x4001.rs.dns-oarc.net.
rst.x3985.x4001.rs.dns-oarc.net.
rst.x4023.x3985.x4001.rs.dns-oarc.net.
“80.78.65.130 DNS reply size limit is at least 4023 bytes”
“80.78.65.130 sent EDNS buffer size 4096”
Very helpful, Sam, thanks a lot
Thanks God, RouterOS do not do requests to the root servers - it’s not recursive server 
Just received this email from the South African co.za administrators but does it apply to Mikrotik?
As of earlier this month, ICANN have started signing the root zone in an offline process (ie not in a live manner). This will gradually be phased in through the course of 2010, starting in January, and culminating in a fully live signed root zone in July 2010.
Technically, this means that replies to queries to the root name servers will exceed 512 bytes. This may cause problems for some resolving software that does not support EDNS0, or resolvers that sit behind misconfigured firewalls that arbitrarily enforce a 512 limit on DNS traffic. There are also cases involving the handling of IP fragmentation where problems can occur.
You should check that your resolving infrastructure can handle this issue - https://www.dns-oarc.net/oarc/services/replysizetest for a methodology. You may also wish to pass this on to your clients, particularly those who run their own resolving infrastructure, and/or firewalls.
Definitive website:
http://www.root-dnssec.org/
More details can be found at:
http://labs.ripe.net/content/preparing-k-root-signed-root-zone
Inpact on end-user kit:
http://download.nominet.org.uk/dnssec-cpe/DNSSEC-CPE-Report.pdf
Best timeline for events:
http://www.ripe.net/ripe/meetings/ripe-59/presentations/abley-signed-root.pdf
It is not point if MT can query DNSEC, but if it has UDP packets limited to 512 bytes, DNSEC packets, whoever sends them, would not be able not pass through.