Hello.

On 09/10/2025 11.36, Jiri Masek via knot-resolver-users wrote:
did same deployment again and it seem configuration works correctly. Only difference from Knot Resolver 5 is that now forwarded queries are cached - which is a good thing. So my previous config must contain some mistake.

I'm glad to hear that.  I think that caching should work well now for these cases - that even when an NSEC* record from non-forwarded DNS would cover your query, it shouldn't be used.  At least unless I misremembered or some bug sneaked in.  For example, querying coop1 as query would add NSEC for coop->corsica, proving that no .corp exists and subsequently using that to immediately NXDOMAIN.

--Vladimir