windows 2003 DNS server and DNS SEC

I would think that you would need to worry only if two things apply to your situation:

1. You use the root hint servers instead of forwarders

2. Your firewall blocks DNS UDP packets larger than 512 bytes

I know that my firewalls don't support DNS UDP packets larger than 512 bytes so I've switched from using the root hint servers to using Google's public DNS servers for external DNS queries.

I think best would be you try the tests Ripe explains here, then you may see whether you need to do anything on your server or your firewalls. Everything else would be guess work from my point of view.

If your users are connected by router themselves they should also try the tests, whether the DNS Queries will work. I have a Fritz Router and I needed to apply a workaround as the router only supports up to 512Byte DNS packages.

From what you've said I'm presuming that this is a recursive server, and not an authoritative server.

From the details given, you should have no problems. Your network apparently supports responses > 512 bytes, and your server supports EDNS0.

In any event, you will only ever have problems if your server sends queries to external servers that have the DO bit (DNSSEC OK) set.

Without that flag all responses from the root servers (and any other authoritative servers for that matter) will look exactly the same come May 5th as they did before DNSSEC.

The only other thing you should check is that your network permits outbound DNS queries to work over TCP - so don't ever block outbound tcp/53 on your firewall.

If you need more help, please ask. I'm the author of various ICANN and IETF documents relating to this issue.