2020-04-04 Found the probable reason of the DNSSEC subzones problem 5 months ago
I think I found the most probable reason of the earlier problem with DNSSEC signed subzones. I was trying this with a domain for which I don't have control over one of the secondary nameservers. In one of my showerthought moments I decided to try another domain where I have that full control (just less nameservers) and was able to make it all validate correctly after some tries. Forgetting one or more of all the steps needed to correctly create a domain with DNSSEC and getting the delegation right will give errors. So I guess running a nameserver with all DNSSEC options disabled hinders validation.