Please enable EDNS(0) in your name servers. It would benefit your users whose domains are DNSSEC-signed. It enables larger UDP packets, so that there is less need to use TCP for DNS traffic. It might even alleviate your network load. It should just be a matter of not disabling it in your name server software, and not blocking large UDP DNS packets in your firewall. When I check my domain with dnsviz.net, it reports no response over UDP from 2a03:b0c0:0:1010::7e:7001 (i.e. ns17.zoneedit.com) due to NOEDNS.