diff --git a/middleware/file/dnssec_test.go b/middleware/file/dnssec_test.go
index 6ea4f95c1..a3c7072a7 100644
--- a/middleware/file/dnssec_test.go
+++ b/middleware/file/dnssec_test.go
@@ -51,6 +51,7 @@ var dnssecTestCases = []coretest.Case{
 		},
 	},
 	{
+		// NoData
 		Qname: "a.miek.nl.", Qtype: dns.TypeSRV, Do: true,
 		Ns: []dns.RR{
 			coretest.NSEC("a.miek.nl.	14400	IN	NSEC	archive.miek.nl. A AAAA RRSIG NSEC"),
@@ -60,6 +61,7 @@ var dnssecTestCases = []coretest.Case{
 		},
 	},
 	/* HAHA nsec... shit.
+	// disprove *.miek.nl and that b.miek.nl does not exist
 	{
 		Qname: "b.miek.nl.", Qtype: dns.TypeA,
 		Rcode: dns.RcodeNameError,
diff --git a/middleware/file/file.go b/middleware/file/file.go
index 97e916116..c005b41cc 100644
--- a/middleware/file/file.go
+++ b/middleware/file/file.go
@@ -39,7 +39,7 @@ func (f File) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (i
 		return xfr.ServeDNS(ctx, w, r)
 	}
 
-	an, ns, extra, result := z.Lookup(qname, state.QType(), state.Do())
+	answer, ns, extra, result := z.Lookup(qname, state.QType(), state.Do())
 
 	m := new(dns.Msg)
 	m.SetReply(r)
@@ -47,10 +47,9 @@ func (f File) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (i
 
 	switch result {
 	case Success:
-		// case?
-		m.Answer = an
+		m.Answer = answer
+		m.Ns = ns
 		m.Extra = extra
-		// Ns section
 	case NameError:
 		m.Ns = ns
 		m.Rcode = dns.RcodeNameError
diff --git a/middleware/file/lookup.go b/middleware/file/lookup.go
index 34fb0252c..0e2c4cb80 100644
--- a/middleware/file/lookup.go
+++ b/middleware/file/lookup.go
@@ -25,13 +25,14 @@ func (z *Zone) Lookup(qname string, qtype uint16, do bool) ([]dns.RR, []dns.RR,
 	} else {
 		rr = mk()
 	}
-	rr.Header().Rrtype = qtype // this is pretty nonobvious
-
 	if qtype == dns.TypeSOA {
 		return z.lookupSOA(do)
 	}
 
+	// Misuse rr to be a question.
+	rr.Header().Rrtype = qtype
 	rr.Header().Name = qname
+
 	elem := z.Tree.Get(rr)
 	if elem == nil {
 		return z.nameError(elem, rr, do)
@@ -47,6 +48,7 @@ func (z *Zone) Lookup(qname string, qtype uint16, do bool) ([]dns.RR, []dns.RR,
 	if len(rrs) == 0 {
 		return z.noData(elem, do)
 	}
+
 	if do {
 		sigs := elem.Types(dns.TypeRRSIG)
 		sigs = signatureForSubType(sigs, qtype)
@@ -69,7 +71,7 @@ func (z *Zone) nameError(elem *tree.Elem, rr dns.RR, do bool) ([]dns.RR, []dns.R
 		return nil, ret, nil, Success
 	}
 	// NSECs!
-	return nil, []dns.RR{z.SOA}, nil, Success
+	return nil, []dns.RR{z.SOA}, nil, NameError
 }
 
 func (z *Zone) lookupSOA(do bool) ([]dns.RR, []dns.RR, []dns.RR, Result) {
@@ -94,7 +96,6 @@ func (z *Zone) lookupNSEC(elem *tree.Elem, do bool) []dns.RR {
 		}
 	}
 	return nsec
-
 }
 
 func (z *Zone) lookupCNAME(rrs []dns.RR, rr dns.RR, do bool) ([]dns.RR, []dns.RR, []dns.RR, Result) {