FWD to Domain DNS Server

[SuperStark]

I have set up a zone for our domain and created a FWD to our domain controller/dns servers.

It does not seem to work correctly, with logs showing errors like:

[2023-12-11 00:00:04 UTC] DNS Server failed to resolve the request 'servername.domain.com. A IN' using forwarders: 10.10.10.10, 10.10.10.11. TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: DNSSEC validation failed due to missing RRSIG for owner name: /DNSKEY

Adding 'servername' to the zone works, it answers pings and nslookup shows correctly, however when removing it the forwarding does not work.

The DNS servers are both Server 2016, both healthy and are able to process DNS correctly (including for the 'servername' listed above)

Forwarding in settings is set as cloudflare and google - working fine for Public IP' and blocking ok via ad blocking lists.

So is this me missing a step or is this a problem with the installation?

Domain name, IP and server name omitted for privacy.

[ShreyasZare]

Thanks for the post. You just need to edit the FWD record in your conditional forwarder zone and uncheck the "Enable DNSSEC Validation" option so that the DNS server does not perform DNSSEC validation for the responses from the forwarder. Try that and let me know if that fixed the issue.

[SuperStark]

slaps forehead

I unticked this under settings: Enable DNSSEC Validation But did not notice it under FWD, unticked working fine now, thank you!

[ShreyasZare]

You're welcome. FWD record's option is independent of the main option in Settings. Good to know you got it working!