How to trust another Nameserver/Zone specificly?

Question

For making sure a resolver is also able to resolve when not connected to the internet (which is usually not the case), I have configured a forward zone:

zone "example.com" {
    type forward;
    forward only;
    forwarders { 1.2.3.4; 5.6.7.8; };
}

The forwarders listed there are the authoritative nameservers. This works great except the zone given there is dnssec-enabled. Validation fails because the request is made no recursively and thus not signed correctly (which I expect).

I don't want to turn off the dnssec validation for that zone, but instead, trust the key.

How can I achieve that? Is it possible to configure that per zone?

Related to: bind9 configure forward zone for local domain without DNSSEC for this zone only

Answer 1

If I understand the question correctly, the problem would appear to be that you are for whatever reason not able to validate the full chain of trust all the way back to the root (where you have the default trust anchor). If the problem particularly occurs without Internet connectivity, that would appear to make sense.
What you can do (particularly if you will be made aware of any changes, such as if this is your own zone) is to explicitly add your own trust-anchor for this particular zone directly.

In BIND this would be done using the trusted-keys config directive (or managed-keys as applicable, for automated (RFC5011) trust anchor updates).
What you do then is essentially specifying the key that you want to trust for some particular zone instead of relying on the normal chain of trust published via DS records tracing all the way back to the root.

Eg

trusted-keys {
     example.com. 257 3 8 "AwEAAbOFAxl+Lkt0UMglZizKEC1AxUu8zlj65KYatR5wBWMrh18TYzK/ ig6Y1t5YTWCO68bynorpNu9fqNFALX7bVl9/gybA0v0EhF+dgXmoUfRX 7ksMGgBvtfa2/Y9a3klXNLqkTszIQ4PEMVCjtryl19Be9/PkFeC9ITjg MRQsQhmB39eyMYnal+f3bUxKk4fq7cuEU0dbRpue4H/N6jPucXWOwiMA kTJhghqgy+o9FfIp+tR/emKao94/wpVXDcPf5B18j7xz2SvTTxiuqCzC MtsxnikZHcoh1j4g+Y1B8zIMIvrEM+pZGhh/Yuf4RwCBgaYCi9hpiMWV vS4WBzx0/lU=";
};