Seems that I rushed a bit - forwarding a zone can only be done to NS(es) of that zone? If yes, then my issue was, I forwarded to a public-generic DNSes. Now with forwarding to authoritative servers & with RPZ forwarded domains works. (without TAs) I'm on 5.2.7 thanks, L.