I'm confused.  The DF bit should only be set in packets that you are
forwarding to someone else, i.e., if you are acting as a router.
Is that what you are doing?

I can imagine a situation where our action is incorrect.  If you are
acting as a router and the system routing through you is setting
the DF bit in order to do mtu discovery and it is larger than your
mtu is less than the packet size, then we should be sending back an
icmp message saying that we couldn't fragment.  Otherwise the
connection can't go through.  Is this your situation?

The only other situation I can imagine is that we're somewhere
forgetting to zero out the bit when creating packets.