Does anyone know whether the DNS ZoneScopes used by DNS Policy can be signed and DNSSEC enabled? Looking at the DNSSEC related DnsServer PowerShell cmdlets it appears that they do not support the -ZoneScope parameter. As this is the only way to manipulate ZoneScope settings it seems to indicate that signing scopes is not possible...?
You cannot individually sign zone scopes, however, once you sign a default zone the scopes are also signed. Signed scopes allow you to leverage DNS policies as you would normally.