GTM DNSSEC module and dotgov domains
I am trying to get a .gov domain hosted by us on a GTM with the DNSSEC module configured and am running into issues getting it to pass the validation tests from the feds. They are wanting to see a DS record for the domain exist in the domain itself before they add it to the .gov parent domain. The problem I am finding is that the DNSSEC module removes this record even if it exists in the zone on the Bind server. So far I have tested this with Zonerunner, DNS express and using a DNS pool attached to the listener and in every case saw the same issue. After enabling DNSSEC I copy the DS record into the zone file itself and than if I query for the ds record direct from the bind server it's returned but if I query for it from the GTM it's not when I have DNSSEC enabled for that zone. If I disable DNSSEC on the zone I see the DS records returned by both so it seems like it's something inside the DNSSEC module itself.
Any suggestions or advise on how to handle this would be appreciated. We need the GTM DNSSEC module so that we can use the Wide IP features of the GTM's but we also are required to support DNSSEC on these domains.