> A DNSSEC signature for "this domain doesn't exist" is much longer than a DNSSEC signature for "this domain exists, but doesn't have the type of record you asked for" so these providers choose to always return the latter type of answer
This seems like a major design flaw in DNSSEC, if so.
(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)