See How do I interperet the DNSSEC column in the query log? for info on DNSSEC and what the results mean.
As of Pi-hole 3.3, you can see the DNSSEC status in the query log.
SECURE are records that have been signed and verified to be unchanged from the authoritative DNS server
INSECURE are records that either have no signature or DNSSEC is not implemented for the domain; either the domain is unsigned and not implementing DNSSEC or there are other issues
BOGUS are records that have been signed but have changed or been altered from the authoritative DNS server
You will see
INSECURE, but that does not mean a bad record–just has not been implemented.
BOGUS records are something to look at, either they have been altered in transit or the domain maintainer has not updated the records correctly. At present, 90% of the records you see will be
INSECURE as there is not a lot of DNSSEC uptake currently.
If you see
BOGUS on a test for a known bad record then things look like they are configured correctly. As more domains move to utilizing DNSSEC the
INSECURE will tend to fade away, but we are a long ways away from full adoption of the technology.