According to pf.conf:
If no-df is given, fragments with the dont-fragment bit set have
it cleared before entering the fragment cache, and thus the
reassembled packet doesn't have dont-fragment set either.
But from reading the code, and from experimentation, this seems
backwards: dont-fragment bits are cleared by default, and if no-df is
set then fragmented packets marked as dont-fragment are discarded.
The .org name servers set dont-fragment on all response packets, even
fragmented ones, so a simple test case is:
$ dig +dnssec +bufsize=4096 -t any org @a0.org.afilias-nst.info
