That’s a possible approach, e.g. simply adding configuration
policy.add(policy.suffix(policy.STUB('51.254.25.115'),
policy.todnames({ 'coin.', 'geek.', 'libre.' })))
but it won’t be 100%. (You also need to uncheck forwarding in Foris so your ISP’s servers don’t take precedence.) It will use standard servers and DNSSEC validation for everything – except for the list of suffixes you specify (and those won’t be validated at all).
Still, knot-resolver doesn’t count on the DNS tree being inconsistent, so e.g. if someone makes a query for geej.
, e.g. by accidental typo, it will get into its cache this record from official root
gea. 86400 IN NSEC gent. NS DS RRSIG NSEC
proving that there’s nothing at all between those two names, and after that it will always immediately reply that **.geek.
does not exist (without asking any servers). I see no way how to disable that by configuration ATM, except give up validation everywhere…