DNSSEC negative reply size
I have some questions regarding the Cloudflare blog article from 2015. They describe a problem they observed with negative replies and their solution:
Second, we do negative answers in a special way. Negative answers in DNSSEC can get large. For zones signed with NSEC, it’s not uncommon to have SOA + RRSIG(SOA) + 2 NSEC records + 2 RRSIG(NSEC) records in the negative answers. Even for the weakest RSA keys allowed, this results in an answer that is at least 635 bytes. NSEC3 signed answers require, in most cases, 3 NSEC3 and 3 RRSIG (NSEC3) records to deny the existence of the item asked for—that’s at least 1000 bytes. So we selected NSEC as our negative answer and use ECC keys. But the biggest saving comes from not having to prove that the covering wildcard exists at all, which is the role of the second NSEC record. We return an answer that says, “sure, the name exists, but the type you asked for does not”. This allows us to return only one NSEC record in negative answers!
Does anyone know to what extent these considerations are applicable to the current bind9 and what options are available when encountering the same problem with bind9? Other insights or comments are also welcome.