When implementing a DNS black-list using a "Response Policy Zone" (RPZ), you could end up breaking DNSSEC.

Is there a workaround to this problem, when you are admin of the clients and every DNS-server?

Current case is our internal Windows and Linux clients contacting an inner layer of forwarding Windows and "bind" DNS-server, before the requests is forwarded to the "outer" resolving "bind" DNS-server. The RPZ filter in question is installed on the latter.

A requirement is that the outer DNS-server must continue to do DNSSEC validation.