[Freeipa-users] Question regarding DNSSEC + AD Trust

Hello, This may sound like a noobish question, but how can I make DNSSEC play nicely when the external domain have DNSSEC enabled and this makes internal zones failing when creating an AD trust, since we are using subdomains for our LAN? Our case: example.com (External DNS name with DNSSEC enabled) win.example.com (Active Directory Zone) nix.example.com (FreeIPA Zone) Even with the correct conditional forwarders set up in Windows DNS and FreeIPA DNS, DNSSEC kicks in and fail resolutions. I _MUST_ disable DNSSEC? There’s another way? Thanks,