I'd like to hope that dnssec in dnsmasq is now stable enough to enable by default. Given the whole DOH controversy that sticks increasingly in my craw... having better dns along the edge would cheer me up. Also, the default dns cache in dnsmasq is too small by default if you have any amount of ram > 32MB, IMHO.
What barriers still exist to deploying dnssec?
Maybe @ldir can comment on the overall reliability but enabling it by default might make sense. I'd also like to ship 20.x with SSL support by default so DNSSEC by default would fit into the picture.
Serendipitous timing. Simon release v2.81 late last night after 18 months of waiting. I'd say it comes with some significant improvements with regards TCP handling and hence dnssec caching and I don't really see any blockers. There was also a DNSSEC induced crash that attracted a bit of attention (a cloudflare snafu that tweaked dnsmasq in exactly the wrong way). It was never clear to me whether it affected 2.80 or if it was the result of the TCP improvement that was done 1 commit after the 2.80 release.
I'm about to push the bump into master. I'd wait/think a bit before bumping into 19.07.
In terms of caching, yes 150 entries does sound a bit small. kill -USR1 $(pidof dnsmasq) will dump current cache stats to syslog, in my instance where I use a cache size of 1500 I see - "cache size 1500, 0/7050 cache insertions re-used unexpired cache entries." For my workload, my cache size is too big, since none of the 7050 cache insertions force an eviction. With a 4G APU2, I can afford the waste 
Enabling DNSSEC by default might require a few preparatory steps for the dnsmasq package, as right now there is pretty much just the "normal" variant and a "full" variant enabling all kind of functionality, including DNSSEC. The full variant includes also lots of other unnecessary stuff.
DNSSEC in dnsmasq also requires libnettle, right? That seems to be a 244 kB .ipk for ipq806x and ath79, so it will add quite much size. That would likely not be suitable for "tiny" devices.
The first step might be to define a middle variant dnsmasq-dnssec with the required dependencies, so that the impact might be seen and evaluated.
Also not quite sure what the default settings should be, taking into account that not all ISPs do support DNSSEC. Could the feature be built in, but not enabled by default? Or it would be enabled with relaxed fallback allowed?
I am not sure if that is a trustable statistic, given the amount of re-use I also see. Then again, the world just goes to 5 websites these days....
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: cache size 5000, 0/2184890 cache insertions re-used unexpired cache entries.
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: queries forwarded 2538723, queries answered locally 1630909
_Pretty good number for re-use!_
I have been tracking a pretty high failure rate of late, especially during peak hours, for this first name server.
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: queries for authoritative zones 0
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: server 75.75.75.75#53: queries sent 989184, retried or failed 109368
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: server 2001:558:feed::2#53: queries sent 580019, retried or failed 47744
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: server 2001:558:feed::1#53: queries sent 784164, retried or failed 56810
Sun Apr 12 08:39:36 2020 daemon.info dnsmasq[2453]: server 75.75.76.76#53: queries sent 579972, retried or failed 577
150 is def too low for this other box. I just bumped it too to 5000. (yes, @ldir, with the release of that dnsmasq version, I had hopes I could finally turn dnssec back on again in my deployment. We finished the initial work when? 2015? 
)
cache size 150, 3066614/11838569 cache insertions re-used unexpired cache entries.
Sun Apr 12 08:56:21 2020 daemon.info dnsmasq[5774]: queries forwarded 4237733, queries answered locally 923520
Sun Apr 12 08:56:21 2020 daemon.info dnsmasq[5774]: server 75.75.75.75#53: queries sent 4206119, retried or failed 293566
Sun Apr 12 08:56:21 2020 daemon.info dnsmasq[5774]: server 75.75.76.76#53: queries sent 609762, retried or failed 53378