DNSSEC behaviour questions

When forwarding DNS traffic to ZIA, how does Zscaler handle DNSSEC and DNSSEC validation?

  1. Does the Zscaler Trusted Resolver validate DNSSEC? If so, does it honor the CD Flag to disable DNSSEC validation?
  2. Are there any configurable options regarding negative trust anchors for bogus domains? Are negative trust anchors global or per-tenant?
    In case they are global, is there a list of negative trust anchors we can consult?
    Does Zscaler add custom negative trust anchors based on individual requests?
  3. Is there a way to disable DNSSEC for specific users?