[knot-resolver-users] Is it possible to forward to authoritative servers?

I'm trying to set up a resolver with the addition of an invented TLD (this is an experiment, no need to explain to me that it may be a bad idea). I have authoritative name servers for the dummy TLD, which is signed with DNSSEC and I want DNSSEC validation. The documentation says that policy.FORWARD requires to forward to a resolver :-( policy.STUB disables validation so it is a no-no. If I configure with policy.add + policy.FORWARD, and trust_anchors.add for the key of the dummy TLD, it works for the TLD apex, for subdomains of the TLD which are NOT signed but for signed subdomains of the TLD, I get SERVFAIL + "EDE: 12 (NSEC Missing): (AHXI)". Querying directly the authoritative name servers with the DO bit, I get all the RRSIG and NSEC I need. But apparently, Knot cannot get them. Knot-resolver 5.7.4