So I have dnssec=0 and dnsseccheckunsigned=0 so both disabled.
History: in 18:06 openwrt time frame, on desk top computers systemd set dnssec to allow-downgrade. On arm machines this gave many users problems, as DNS didn't work - due to DNSSEC issues. When looking into this (I didn't have a problem), I installed dnsmasq-full, and set on DNSSEC with the above both set to 1. When I was going to move to 19:07, I set both to zero, so assumed that DNSSEC was then disabled, so I would be OK with just dnsmasq.
Alas no, so updated to dnsmasq-full - and still the errors. Went back to my notes on 18.06, and the said create /usr/share/dnsmasq/trust-anchors.conf. Which is now populated (in dnsmasq-full) to:
# The root DNSSEC trust anchor, valid as at 10/02/2017
# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D