Hi @marcel,
Seems you are suffering this PowerDNS bug but it is strange because it only affects to PowerDNS versions 4.0.3 and below and seems the DNS servers you are using for your domain are version 4.0.4.
$ dig fotoalbums-maken.nl ns +short
ns1.as31731.net.
ns2.as31731.net.
$ dig @ns1.as31731.net version.bind ch txt +short
"PowerDNS Authoritative Server 4.0.4 (built Jun 22 2017 20:08:49 by root@6454203fd461)"
$ dig @ns2.as31731.net version.bind ch txt +short
"PowerDNS Authoritative Server 4.0.4 (built Jun 22 2017 20:08:49 by root@6454203fd461)"
But the error seems exactly the same as for versions 4.0.3 and below. If you check it on unboundtest.com page you will see this error…
debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
So seems PowerDNS is not signing the answer when there is no record defined (in this case CAA record for editor.fotoalbums-maken.nl domain).
I don’t use PowerDNS with DNSSEC so I can’t help here but maybe you need to use pdnsutil rectify-zone command to solve this issue or maybe the fastest way to solve the issue is adding a CAA record to your domain, if the base problem is the PowerDNS bug, then your server won’t send an empty not signed response but will send a signed response.
Just in case, this site helps to know what is the data you need to add to a CAA record for your domain… that is basically this:
editor.fotoalbums-maken.nl. CAA 0 issue "letsencrypt.org"
Good luck,
sahsanu