Is it possible to have dnssec enabled on the secondary DNS service? Currently, as it is configured, it will transfer RRSIG and NSEC records when requested specifically, but not in combination with other queries. It looks like in BIND 9.3, dnssec is disabled by default and enabling it also enables dnssec validation in BIND. In BIND 9.4 and later, dnssec enable and dnssec validation are separated options with dnssec enable turn on by default. Are you still planning an upgrade to 9.4+?