Error when using dig when I enable DNSSEC on pihole

I’d like to have pi-hole enable DNSSEC for my traffic. From Settings>DNS I checked “Use DNSSEC” but interestingly, when I try the dig command to test, I get this but am unsure why:

% dig +dnssec debian.org
;; Truncated, retrying in TCP mode.
;; Connection to 172.17.1.250#53(172.17.1.250) for debian.org failed: connection refused.

If I watch the pihole.log when I try that dig command it does seem to be getting though…

# tail -f /run/log/pihole/pihole.log
Dec 19 15:00:26 dnsmasq[546]: query[A] debian.org from 10.9.8.228
Dec 19 15:00:26 dnsmasq[546]: forwarded debian.org to 172.17.1.1
Dec 19 15:00:26 dnsmasq[546]: dnssec-query[DS] debian.org to 172.17.1.1
Dec 19 15:00:26 dnsmasq[546]: reply debian.org is 128.31.0.62
Dec 19 15:00:26 dnsmasq[546]: reply debian.org is 130.89.148.77
Dec 19 15:00:26 dnsmasq[546]: reply debian.org is 149.20.4.15

Grrrr… the problem seems to be with cloudflare. When I have their DNS servers configured, I get the error I posted above but hen I switch over to quad9, everything works as expected and the dig command returns the ad flag finally. Why?

% dig +dnssec debian.org

; <<>> DiG 9.14.8 <<>> +dnssec debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34867
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
...