DNSSEC Validation in FORWARDing mode
In addition to policy.FORWARD
that just passes query to upstream resolver and answer back to OP, there should be a policy.FULLFORWARD
that would do a full DNSSEC Validation in forwarding mode (behind a resolver that supports DNSSEC Validation).