Questions / issues with DoT & DNSSEC

Hello everyone,

after I set up my network, wireless and firewall configuration with my Netgear R6220 on OpenWRT 21.02, I am now at the point of DoT and DNSSEC. I have followed the wiki (

My first question for DoT:
On the wiki it says:

Check your DNS provider. Make sure there is no DNS leak.

After I run the test, it shows me "", which I setup during the configuration process.
Does this now mean, that DoT is working? From the quote, I would say no, as there is a DNS leak. Or did I get anything wrong?

My secound question for DNSSEC:

I have setup the following parameters from this quide (german):

uci set dhcp.@dnsmasq[0].dnssec=1
uci set dhcp.@dnsmasq[0].dnsseccheckunsigned=1

After these steps, when running command dig +dnssec +multi @ the "ad" flag is missing, which shows me that DNSSEC is not working. Output:

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12733
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;    IN A

I took the same steps back in OpenWRT 19.07 and there everyting was working.
Here is my dnsmasq config:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list server ''
        option noresolv '1'
        option dnssec '1'
        option dnsseccheckunsigned '1'

Thank you for your help & support.

Cheers, Lasko