diff --git a/CHANGES b/CHANGES
index a513d5cf9e..af377adb32 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3981.	[bug]		Cache DS/NXDOMAIN independently of other query types.
+			[RT #37467]
+
 3978.	[test]		Added a unit test for Diffie-Hellman key
 			computation, completing change #3974. [RT #37477]
 
diff --git a/bin/tests/system/forward/ns2/named.conf b/bin/tests/system/forward/ns2/named.conf
index 8860f44ff0..9c855b4753 100644
--- a/bin/tests/system/forward/ns2/named.conf
+++ b/bin/tests/system/forward/ns2/named.conf
@@ -55,6 +55,11 @@ zone "example4." {
 	file "example.db";
 };
 
+zone "grafted." {
+	type master;
+	file "example.db";
+};
+
 zone "1.0.10.in-addr.arpa." {
 	type master;
 	file "example.db";
diff --git a/bin/tests/system/forward/ns4/named.conf b/bin/tests/system/forward/ns4/named.conf
index 6fb7ae2e52..e397038676 100644
--- a/bin/tests/system/forward/ns4/named.conf
+++ b/bin/tests/system/forward/ns4/named.conf
@@ -56,3 +56,9 @@ zone "1.0.10.in-addr.arpa" {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "grafted" {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2; };
+};
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index f7ab5e2f0f..4c5ac6a095 100644
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -110,5 +110,18 @@ grep "status: NXDOMAIN" dig.out.f2 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that DS lookups for grafting forward zones are isolated"
+ret=0
+$DIG grafted A @10.53.0.4 -p 5300 > dig.out.q1
+$DIG grafted DS @10.53.0.4 -p 5300 > dig.out.q2
+$DIG grafted A @10.53.0.4 -p 5300 > dig.out.q3
+$DIG grafted AAAA @10.53.0.4 -p 5300 > dig.out.q4
+grep "status: NOERROR" dig.out.q1 > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.q2 > /dev/null || ret=1
+grep "status: NOERROR" dig.out.q3 > /dev/null || ret=1
+grep "status: NOERROR" dig.out.q4 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 0f4ef6f4cc..e517dad2ae 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4192,7 +4192,11 @@ validated(isc_task_t *task, isc_event_t *event) {
 
 		inc_stats(res, dns_resstatscounter_valnegsuccess);
 
-		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
+		/*
+		 * Cache DS NXDOMAIN seperately to other types.
+		 */
+		if (fctx->rmessage->rcode == dns_rcode_nxdomain &&
+		    fctx->type != dns_rdatatype_ds)
 			covers = dns_rdatatype_any;
 		else
 			covers = fctx->type;
@@ -7425,7 +7429,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (WANTNCACHE(fctx)) {
 		dns_rdatatype_t covers;
-		if (message->rcode == dns_rcode_nxdomain)
+
+		/*
+		 * Cache DS NXDOMAIN seperately to other types.
+		 */
+		if (message->rcode == dns_rcode_nxdomain &&
+		    fctx->type != dns_rdatatype_ds)
 			covers = dns_rdatatype_any;
 		else
 			covers = fctx->type;