Just a tip:
When DNSSEC runs with "Servfail" or "Bogus" errors, the cause is often trivial: the PI's system time deviates by more than 2-3 seconds.
Simple remedy: an RTC. Installation is easy and the cost is low at €3-5. One possibility is an RTC DS3231 IIC from the bay, suitable with a Plug&Play header connector. When set, the clock continues to function even in the event of a power outage or similar thanks to a battery backup.
Example