I find it likely that you suffer from exactly this problem, and consequently a noticeable fraction of names might be broken, mainly sites served from CDNs. I don’t think any approach with explicit “whitelist” will be pleasant.
Hmm, on second thought, I’m not convinced negative trust anchors in kresd will be usable to work around this forwarding problem. Explanation I originally wanted to send:
It turns off DNSSEC for the whole sub-tree. As described there, due to DNSSEC being designed to protect zones as wholes, in kresd it often takes effect only from zone cuts below the specified names – so if you want to cover cdn.mozilla.net., the name belongs directly into the mozilla.net zone and you need to have negative TA at that point already to be certain.