A part of the problem has been identified.
As mentioned earlier, I'm running dnsmasq2.80test2 and dnscrypt-proxy 2.0.11
I only have ipv4, my provider refuses to exchange my docsis 2 (ipv4 only) modem for a docsis 3 modem, so ...
In the wiki, section 'making things go faster', there is a setting 'block_ipv6 = false'. The wiki says to change it, so I did.
WRONG!!!
If you only have IPv4 and you're using dnsmasq + dnscrypt-proxy V2 + DNSSEC, don't change that setting!!!!
justification (from the dnsmasq developer):
'quote'
Looking at your logs, this is responsible for some of the BOGUS validations, if dnscrypt-proxy gives a synthetic reply to a query in a signed domain, that will fail DNSSEC validation, obviously.
If your network doesn't support IPv6, chances are that your applications are still constantly trying to resolve IPv6 addresses, causing unnecessary slowdowns.
This causes the proxy to immediately reply to IPv6 requests, without having to send a useless request to upstream resolvers, and having to wait for a response.
This uses a plugin that requires dnscrypt-proxy to be compiled with the ldns library.
'/quote'
I changed the setting back to it's default ('block_ipv6 = false') and some of the BOGUS errors have disappeared. In the item above (something strange I noticed), 'archive.raspberry.org' came up as BOGUS, when using 'sudo apt-get update'.
That problem is now solved by reverting to the default dnscrypt-proxy setting, however, still a long way to go for other false BOGUS errors...
To be continued.