Você leu man dnsmasq ? Em parte:
--proxy-dnssec
A resolver on a client machine can do DNSSEC validation in two
ways: it can perform the cryptograhic operations on the reply it
receives, or it can rely on the upstream recursive nameserver to
do the validation and set a bit in the reply if it succeeds.
Dnsmasq is not a DNSSEC validator, so it cannot perform the
validation role of the recursive nameserver, but it can pass
through the validation results from its own upstream
nameservers. This option enables this behaviour. You should only
do this if you trust all the configured upstream nameservers and
the network between you and them. If you use the first DNSSEC
mode, validating resolvers in clients, this option is not
required. Dnsmasq always returns all the data needed for a
client to do validation itself.
Parece que seus resolvedores de upstream não estão passando o resultado da validação.
No meu sistema (YMMV):
w3@aardvark:~(0)$ dig @127.0.1.1 dnssec-failed.org
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @127.0.1.1 dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55446
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnssec-failed.org. IN A
;; Query time: 871 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Apr 28 18:17:59 EDT 2016
;; MSG SIZE rcvd: 46
w3@aardvark:~(0)$ dpkg -l dnsmasq\*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================================-=======================-=======================-=============================================================================
un dnsmasq <none> <none> (no description available)
ii dnsmasq-base 2.68-1ubuntu0.1 amd64 Small caching DNS proxy and DHCP/TFTP server
w3@aardvark:~(0)$