In /foris/config/main/dns/ uncheck “use forwarding”. It means to switch from recursive to iterative, if you use that terminology.
We don’t intentionally break this case. You can’t obtain e.g. DNSKEY or DS through a forwarder when the apex is a CNAME, because the forwarder will (and is supposed to) return records from the target. These records are necessary to validate the answer.