dnsmasq since 2.80 is able to proxy DNSSEC enabled queries just fine and does not require dnssec-proxy parameter. If the connection to upstream server is not protected by additional layer such as VPN or TLS channel (which is not supported by dnsmasq), AD bit value reported by the remote resolver is not a good indication the answer received is genuine.
On the other hand dnsmasq can do own and more proper dnssec validation. If it does not do the validation, do not set AD bit to all its answers. Make local replies insecure by default, unless they are verified locally.
Signed-off-by: Petr Menšík email@example.com