Is there a reason why dnssec is turned off in dnsmasq?
It’s not turned off so much as not turned on. This is a feature that needs explicit opt-in.
For LXD, you could set raw.dnsmasq to --dnssec which should enable it.
That doesn’t worked.
I had to set the following:
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec
dnssec-check-unsigned