However, I would like to point it to OpenNIC for resolution /forwarding
so that I can resolve the expanded /alternative TLDs.

OpenNIC is a bad practice, on multiple levels in my opinion, so I'll be brief around supporting that use case.  Anyway, here's a working config:

modules = { 'hints > iterate' }

hints.root({
	-- https://wiki.opennic.org/opennic/t2hints
	['some.opennic.root.'] = { '168.119.153.26' }
})

--[[
  Replace the official (ICANN) root DNSSEC trust anchor by OpenNIC's.
  BEWARE: this gives OpenNIC power to spoof *all* names, not just in the newly added TLDs.
  Current DS can be obtained as mentioned on https://wiki.opennic.org/opennic/dnssec
  dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - .
--]]
trust_anchors.remove('.')
trust_anchors.add('. IN DS 60820 8 2 A01E33C8E95712E555FA9E6C09921830F3A518E36C5998F4ADBF5570AA86B538')
-- Avoid some mess that I don't want to debug in knot resolver 5.x
trust_anchors.set_insecure({ 'opennic.glue.', 'glue.' })

Well, it's not 100% reliable.  I ran into some of their servers that don't return signatures when they should, so that leads to SERVFAILs.  And don't forget to clear cache when you change to incompatible trust anchors, e.g. remove the data.mdb file.

Generally it might be better to overlay just the (selected) TLDs.  Current Knot Resolver can do that well only from another resolver (not auth), e.g.

extraTrees = policy.todnames({'libre', 'null'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees))
-- select a couple close resolver IPs, e.g. directly on https://www.opennic.org
-- for simplicity, we don't validate DNSSEC for those
policy.add(policy.suffix(policy.STUB({'2a00:dcc0:eda:88:245:71:858e:a15'}), extraTrees))

--Vladimir