I have installed Windows server 2016 for my domain and configured DNSSEC for this domain, when i DIG to the server I get an un validated response (not RRSIG's are returned) this also occurs when using it to resolve other domains that are signed correctly eg.
dig isc.org @myserver | returns A record
dig isc.org @8.8.4.4 | returns A record & RRSIG
I tried
un-signing and resigning the zone.
uninstalling and reinstalling the role.
I have reconfigured the zone and the same happens...
I saw a similar problem arose in windows server 2012 and the following hot fix was released:
https://support.microsoft.com/en-gb/kb/3051472
I'll try reinstalling the server next but I doubt its any change i've made.
Michael Booth