Attached test asks for unsigned2.box. SOA and the request ends with SERVFAIL.

I believe that it should work because the domain is an unsigned delegation from parent, with child hosted on the same server. The delegation is inside opt-out range so resolver should verify unsigned status of zone and continue.

(I hope there is no mistake in the test, I did my best. If there is a mistake in test itself I apologize.)