diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go
index 84de05c86..9a20776fe 100644
--- a/plugin/dnssec/dnssec.go
+++ b/plugin/dnssec/dnssec.go
@@ -49,7 +49,7 @@ func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg
 
 	incep, expir := incepExpir(now)
 
-	if mt == response.NameError {
+	if mt == response.NameError || mt == response.NoData {
 		if req.Ns[0].Header().Rrtype != dns.TypeSOA || len(req.Ns) > 1 {
 			return req
 		}
diff --git a/plugin/dnssec/dnssec_test.go b/plugin/dnssec/dnssec_test.go
index 83ce70beb..34c9bf331 100644
--- a/plugin/dnssec/dnssec_test.go
+++ b/plugin/dnssec/dnssec_test.go
@@ -127,6 +127,20 @@ func TestSigningDname(t *testing.T) {
 	}
 }
 
+func TestSigningEmpty(t *testing.T) {
+	d, rm1, rm2 := newDnssec(t, []string{"miek.nl."})
+	defer rm1()
+	defer rm2()
+
+	m := testEmptyMsg()
+	m.SetQuestion("a.miek.nl.", dns.TypeA)
+	state := request.Request{Req: m}
+	m = d.Sign(state, "miek.nl.", time.Now().UTC())
+	if !section(m.Ns, 2) {
+		t.Errorf("authority section should have 2 sig")
+	}
+}
+
 func section(rss []dns.RR, nrSigs int) bool {
 	i := 0
 	for _, r := range rss {
@@ -181,6 +195,13 @@ func testMsgDname() *dns.Msg {
 	}
 }
 
+func testEmptyMsg() *dns.Msg {
+	// don't care about the message header
+	return &dns.Msg{
+		Ns: []dns.RR{test.SOA("miek.nl.	1800	IN	SOA	ns.miek.nl. dnsmaster.miek.nl. 2017100301 200 100 604800 3600")},
+	}
+}
+
 func newDnssec(t *testing.T, zones []string) (Dnssec, func(), func()) {
 	k, rm1, rm2 := newKey(t)
 	c := cache.New(defaultCap)