No DNSSEC when FORWARD policy enabled

It was discovered that the documentation for FORWARD policy missed the information about DNSSEC validation. The query policies are only applied on inbound queries and therefore the full DNSSEC validation is disabled when Knot Resolver operates in FORWARD mode, and relies on DNSSEC validation from upstream resolver.

As a workaround, you can either:

Example configuration:

-- Use IPv6 CZ.NIC Open DNSSEC Validating Resolvers
policy.add(policy.all(policy.FORWARD('2001:1488:800:400::130','2001:678:1::206')))
-- Use IPv4 CZ.NIC Open DNSSEC Validating Resolvers
policy.add(policy.all(policy.FORWARD('217.31.204.130','193.29.206.206')))

For the full list of Knot Resolver features, please see the online documentation.