Now the problem! I found the following in the config guide:
“When you assign a rewrite rule to a subset of forwarding classes, the commit does not fail, and the subset of forwarding classes works as expected. However, the forwarding classes to which the rewrite rule is not assigned are rewritten to all zeros”.
So now the switch is resetting everything to zero!
My next plan was to create rewrite rules for all DSCP values – effectivity to rewrite the original value so it is preserved through the switch. Unfortunately it seems rewite rules are attached to a forwarding-class + loss priority which leaves limited options (the QFX5100 only supports low, medium-high and high). There is no way to preserve all 64 possible DSCP values through the switch if you want to rewrite traffic in the BE forwarding class.
Is there a better way to reset untrusted traffic to DSCP zero while preserving DSCP values for trusted interfaces?