As of Pi-hole 3.3, you can see the DNSSEC status in the query log.
-
SECUREare records that have been signed and verified to be unchanged from the authoritative DNS server -
INSECUREare records that either have no signature or DNSSEC is not implemented for the domain; either the domain is unsigned and not implementing DNSSEC or there are other issues -
BOGUSare records that have been signed but have changed or been altered from the authoritative DNS server
You will see INSECURE, but that does not mean a bad record--just has not been implemented. BOGUS records are something to look at, either they have been altered in transit or the domain maintainer has not updated the records correctly. At present, 90% of the records you see will be INSECURE as there is not a lot of DNSSEC uptake currently.
If you see BOGUS on a test for a known bad record then things look like they are configured correctly. As more domains move to utilizing DNSSEC the INSECURE will tend to fade away, but we are a long ways away from full adoption of the technology.