Can you try setting your upstream to Quad 9 (filtered, DNSSEC) and enable DNSSEC to check that configuration. I'm able to get cache population with that configuration, and with DNSSEC disabled. I am seeing an upstream issue that causes no response what so ever if DNSSEC is enabled with an upstream that doesn't reply correctly.