server forward to server does not work

[lejeczek]

hi fellow users,

I'm having a puzzle to solve and because I'm an amateur I'm 
hoping an expert could help, otherwise it'll take me ages.

I have a 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.7 which runs a 
signed zone and another server that forwards to it.

The server(swir.private.aaa.bbb.private.czz.yy.zz) that 
forwards to the zone reports:

May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz 
named[9104]:   validating @0x7f5fe4007f80: XXXX.ZZZZ SOA: no 
valid signature found
May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz 
named[9104]: validating @0x7f5fe4008c10: whale.XXXX.ZZZZ A: 
no valid signature found
May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz 
named[9104]:   validating @0x7f5fe4007f80: whale.XXXX.ZZZZ 
NSEC: no valid signature found
May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz 
named[9104]:   validating @0x7f5fd800f5c0: XXXX.ZZZZ SOA: no 
valid signature found
May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz 
named[9104]:   validating @0x7f5fd800f5c0: whale.XXXX.ZZZZ 
NSEC: no valid signature found
May 20 16:02:57 swir.private.aaa.bbb.private.czz.yy.zz 
named[9104]: error (no valid RRSIG) resolving 
'whale.XXXX.ZZZZ/DS/IN': 192.168.2.100#53

whale.XXXX.ZZZZ is the server with signed zone, above is a 
result of

$ dig +qr any that.zone

and query does not return a single record.

but if I only do:

$ dig +qr any that.zone @192.168.2.100(server with signed zone)

then everything works fine, seemingly.

Forwarding server's conf snippet is pretty plain vanilla:

    zone "XXXX.ZZZZ" IN {
     forward only;
     type forward;
     forwarders port 53 {  192.168.2.100; };
   };

forwarding server is 9.9.4-RedHat-9.9.4-29.el7_2.3

What am I doing wrong, what am I missing?

many thanks,

L.