Recently, I ran into a problem with my PowerDNS server setup. When a user queried for a AAAA record against a zone that was DNSSEC-enabled and had only an A record for the subject of the query, the NOERROR negative response using an NSEC record from the PowerDNS authoritative server was validated by the PowerDNS recursor and other recursor software as “bogus”.
I was able to resolve this issue by enabling NSEC3 mode in PowerDNS using the ‘narrow’ flag to keep my SQL backend from requiring a zone rectify on every change.
The command to perform this was
sudo pdnsutil set-nsec3 <domain> '1 0 1 ab' narrow
If you’ve run into this issue, hopefully my post has helped you.