DNSSEC: Delegated Zones

Currently we are running the GTM/DNS environment in a screening mode where the GTM's sit in front of the DNS appliances and only respond to queries that they know about, else they load balance back to the DNS appliances for a response. We previously ran into an issue when we decided to move a zone to the GTM to be DNSSEC signed like many others we done in the past. However the difference in this zone is it contains delegated sub zones. When we moved this zone up to the GTM we started receiving phone calls that user's from certain service provider's that enforce DNSSEC validation could not resolve our delegated records in this zone. I have yet to figure out why this happened. Since this was such an ordeal to fix and we had to call these major service provider's and persuade them to flush there DNS cache to bring these applications back to healthy state, there is some significant push back to try this again until we have some idea what happened. Now we are in a position where we have no choice to move this zone back to the GTM to be signed because we have wideip's to create.

I have done some research and believe that when our DNS appliances respond to a query that happens to be a delegation that it provides the NS servers of the external entity that we are delegating to and some sort of opt-out flag ensure that keys are not provided for this delegation because it's a insecure delegation. However I'm assuming that the F5 was not providing this opt-out flag. This is just a theory at this point.

If anyone has any advice or suggestions on how to fix this or if this issue even exists anymore would be a great help. Thank you in advanced.