dnssec constraint doesn't create violation

[Ashish Goel]

hello, 

i am using below constraint file in Forseti from here with corresponding template file here to get notification in CSCC when a managed DNS public zone is created / exist without DNSSEC set ON. 

apiVersion: constraints.gatekeeper.sh/v1alpha1

kind: GCPDNSSECConstraintV1

metadata:

  name: require_dnssec

  annotations:

    description: Checks that DNSSEC is enabled for a Cloud DNS managed zone.

spec:

  severity: high

  parameters: {}

 Forseti does not though create a violation . do you see any issue with above constraint file. 

thanks in advance

Ash