[knot-resolver-users] Writing a module to forward a query to another nameserver if recursive resolution fails

Hello, We operate recursive resolvers in our network in AWS and from within the AWS network there are certain authoritative nameservers that block large swaths of the AWS IP range, causing resolution to fail for us. So I'm attempting to write a module that will handle failures reaching external resolvers and retry the query by forwarding it to a major resolver like cloudflare DNS. We push a ton of DNS query traffic so we do not want to simply forward to a public resolver, we only want to forward if recursion doesn't work for some reason. I've poured through the documentation and source code and tried to hook a variety of places, but I can't seem to find a good spot to hook the request failure. The finish layer allows me to hook the SERVFAIL, but by then it is too late to do anything. Using a simple policy, I was actually able to do something close by calling ensure_answer(), clearing the answer, setting the same forwarding flags as the forward policy, and then calling ensure_answer() again and I could see the query getting sent to cloudflare, so it seems like this is possible, but at the policy level it's too early to know if a query will result in a SERVFAIL. Could anyone point me in the right direction here? Thank you! Paul