Just a copy-paste from the documentation:
"The zone can use the forwarders only for servicing name resolution requests; this is
called a forward-only zone. A forward-only zone does not check its own name records. Only
the forwarder server records are checked. If the record does not exist on the configured
forwarders, then the zone returns a negative response to the client."
So, effectively, you forward all DNS requests to the AD server and AD asks the IPA server
for the *.NIX.MY.COM
Are you sure there is not other issue? I have 3 forwarders in my setup without any issue
(so far).