CirrostratusEnabling DNSSEC for 1 record only
Realistically, the answer is no, because although you could, as per your example:
o create a new separate DNS zone named "uat.example.com" (with SOA and NS records)
o then create, for example, an A record in the zone so that "uat.example.com" resolves to an IP address
o then DNSSEC-sign this new "uat.example.com" zone so that it has the DNSSEC required public keys (DNSKEY records) and signatures (RRSIG records signed by private keys)
it would not be part of the DNSSEC chain-of-trust that DNSSEC validation requires. This is because if the parent zone "example.com" is not DNSSEC-signed (and thus is not part of the chain-of-trust), it therefore cannot vouch (with DS records) for the public keys (DNSKEY records) of the child zone "uat.example.com".
Note that the DNSSEC chain-of-trust starts with the root zone (".") and extends on down (e.g., "." to "com." to "cloudflare." to "community."), with any unsigned (or erroneous/bogus) component invalidating the rest of that chain-of-trust.
FOOTNOTE. The "real" example.com zone is DNSSEC-signed and passes validation, as per CloudFlare (IP 1.1.1.1) ...; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> SOA +additional +multiline +dnssec example.com. @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12683
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;example.com. IN SOA;; ANSWER SECTION:
example.com. 3600 IN SOA ns.icann.org. noc.dns.icann.org. (
2022091331 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
example.com. 3600 IN RRSIG SOA 13 2 3600 20230924195807 (
20230903171433 32385 example.com.
wsTSk8qrgpcDRtcNLCvGd0JAkDctbs4F3BJkIRtESRN0
4oq9jdGM4ArOjy/CoWQ1tuqrmhqoBC4BECq+uWf1Og== );; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 4 23:27:49 2023
;; MSG SIZE rcvd: 203
