DNSSEC on 5/5/2010 - Win2k3 Not Ready?!

So I stumbled across this Register article with some fine information regarding DNSSEC:
http://www.theregister.co.uk/2010/04/13/dnssec/
After running some nice tests from the folloing link, I determined my firewalls were an issue:
http://labs.ripe.net/content/preparing-k-root-signed-root-zone#diy

After an hour of dinking around, I went and verified a couple other sites, and discovered the following:

Netware 5.1 works fine
TinyDNS (dnscache/djbdns) Doesn't even support IPSEC

I began to think maybe Win2k3 might be a problem, since I have multiple firewalls at that location and supposedly they allow the larger size UDP packets. So I installed BIND 9 on my workstation.

I found a dig command that makes the check MUCH easier:
dig +short rs.dns-oarc.net txt

So I started playing with firewalls and BIND / Win2k3:
(IPs obfuscated)

Bind:

$ dig +short rs.dns-oarc.net txt @127.0.0.1

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"Tested at 2010-04-14 20:41:26 UTC"

"198.100.195.102 sent EDNS buffer size 4096"

"198.100.195.102 DNS reply size limit is at least 3843"

$ dig +short rs.dns-oarc.net txt @127.0.0.1

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"Tested at 2010-04-14 20:45:49 UTC"

"64.98.23.194 sent EDNS buffer size 4096"

"64.98.23.194 DNS reply size limit is at least 3843"

$ dig +short rs.dns-oarc.net txt @127.0.0.1

rst.x3827.rs.dns-oarc.net.

rst.x3837.x3827.rs.dns-oarc.net.

rst.x3843.x3837.x3827.rs.dns-oarc.net.

"Tested at 2010-04-14 20:46:51 UTC"

"64.98.189.1 sent EDNS buffer size 4096"

"64.98.189.1 DNS reply size limit is at least 3843"

Here we've seen 3 different firewalls/gateways successfully allowing large UDP DNS packets.

Now - 3 different Win2k3 servers on 2 different gateways.

Win2k3:

$ dig +short rs.dns-oarc.net txt @10.9.0.13

rst.x476.rs.dns-oarc.net.

rst.x485.x476.rs.dns-oarc.net.

rst.x490.x485.x476.rs.dns-oarc.net.

"64.98.23.194 DNS reply size limit is at least 490"

"64.98.23.194 lacks EDNS, defaults to 512"

"Tested at 2010-04-14 20:43:53 UTC"

$ dig +short rs.dns-oarc.net txt @10.9.0.15

rst.x476.rs.dns-oarc.net.

rst.x485.x476.rs.dns-oarc.net.

rst.x490.x485.x476.rs.dns-oarc.net.

"64.98.23.194 DNS reply size limit is at least 490"

"64.98.23.194 lacks EDNS, defaults to 512"

"Tested at 2010-04-14 20:44:27 UTC"

$ dig +short rs.dns-oarc.net txt @172.16.4.13
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"64.98.189.1 DNS reply size limit is at least 490"
"64.98.189.1 lacks EDNS, defaults to 512"
"Tested at 2010-04-14 21:10:39 UTC"

Looks like Win2k3 DOES NOT WORK. Bad News.

ARGH! I went through all of this only to discover someone turned that off. WTH?

dnscmd /Config /EnableEDnsProbes 1