I'd like to use Google's Cloud DNS for a school district, but I need to be able to force safe search. With BIND the solution is to use a Response Policy Zone. From what I can find from trying it and from the docs, you have to verify ownership of the domain when creating a zone.
Is this possible? (Also open to non-Google cloud solutions)
Google Cloud DNS is an authoritative resolver, i.e. it responds to queries for zones that you own. It will not recurse to other DNS names, so is no use for configuring clients.
Google also run a recursive DNS resolver, (not to be confused with Cloud DNS): https://developers.google.com/speed/public-dns/ but there is no way to configure this to return special results for your company or network.
As you say, the only real way to redirect queries to safesearch is via a modification to the recursive DNS resolver that your clients use.
(See here: https://support.google.com/websearch/answer/186669?hl=en)
In this case I think your best bet is to have BIND recurse to 8.8.8.8, but with a manual RPZ for safesearch.
