Hi,
In regards to your issue, when trying to resolve a domain that has 'bogus issues', the DNS server should only return a SERVFAIL error status without any DNS data (an indication of general name resolution failure). Such as follows:
~ dig www.dnssec-failed.org
; <<>> DiG 9.7.2-P2 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17692
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; Query time: 108 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Fri Nov 19 16:08:29 2010
;; MSG SIZE rcvd: 39
So according to my research, the 'Bad DNSSEC Cache' will not exist in DNSSEC. For more details, please refer to:
https://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
https://serverfault.com/questions/720293/dnsmasq-returns-false-bogus-result-for-dnssec-validation
-------If my answer is helpful to you, please remember to mark them as answer. Thank you!------
Regards
Gloria