On 03.02.2016 09:36, Mark Andrews wrote: > No. Insecure != invalid. Insecure zones don't have a DNSSEC chain > of trust to a configured trust anchor. OK, understood. However, in the case of an unsigned private domain that is forwarded, it would be insecure and not invalid, right? What's the reason this does not work either, then?