So by default all Cisco PIX / ASA configs have something along these lines...
policy-map type inspect dns migrated_dns_map_1
message-length maximum 512
inspect dns migrated_dns_map_1 <-- DNS inspection
so after May 5th, when DNSSEC is enabled on all root servers, I'd expect many quereies to be over the 512 byte maximum. See http://www.theregister.co.uk/2010/04/13/dnssec/ if you are not familiar with this.
Does this mean I should change the 512 number to something else? suggestions on that? or should I just disable DNS inspection completely with: "no inspect dns"