DNSSEC Validation in FORWARDing mode

In addition to policy.FORWARD that just passes query to upstream resolver and answer back to OP, there should be a policy.FULLFORWARD that would do a full DNSSEC Validation in forwarding mode (behind a resolver that supports DNSSEC Validation).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

DNSSEC Validation in FORWARDing mode