Yes, break-dnssec as an option for RPZ looks like a winner.
Thanks!
> Until the optional "recursive-only yes" phrase was added to the
> "response-policy{}" statement, RPZ would affect only unsigned responses.
> Server operators who want to rewrite DNSSEC signed responses can
> now do so by adding "break-dnssec yes;".