I use mod-synth-record to provide some reverse records for a LAN. tregon-grifon.swordarmor.fr. is signed with DNSSEC, but I have a RRSIG
only for the records in the pasted file.
Yes, this is going to fail. To get around this knot would have to implement signing on-the-fly. I'm not sure if that's on the roadmap anywhere.