I was looking at the pihole log, to figure out if DNSSEC was actually working and found the following entries:
Jan 26 08:07:47 dnsmasq[16477]: reply cloudflare.com is BOGUS DNSKEY
Jan 26 08:07:47 dnsmasq[16477]: validation result is BOGUS
google turned up this alarming (to me) document, containing the exact same log entries and this explanation:
Dnsmasq has implemented ECDSA since 2.69, however it was broken and not fixed until 2.73
Unfortunately, a fully updated Raspbian Jessie Lite comes with version 2.72, thus without the fix (Fix broken DNSSEC validation of ECDSA signatures).
NOT quite sure if implementing DNSSEC is beneficial for pihole at this stage...
So I decided to jump in, after making a backup image of my SD card.
Found this document, on how to upgrade dnsmasq.
Unfortunately, this guide installs a new version of dnsmasq in /usr/local/sbin (the raspbian version is installed in /usr/sbin), the packages aren't compiled with the DNSSEC option.
Searching the debian packages, I found dnsmasq_2.76-5_all.deb here, not quite sure how to proceed...