Going all-in on DNSSEC

I have been doing an effort to go full on DNSSEC on my system with the following setup: - dnscrypt-proxy installed, up and running on 127.0.0.1 with require_dnssec = true - systemd-resolved running, with DNSSEC=yes and DNS=127.0.0.1 - only nameserver 127.0.0.1 in /etc/resolv.conf - connected through NetworkManager to a WiFi network about which I know DHCP configuration sets 8.8.8.8 and 8.8.8.4 as DNS servers /run/systemd/resolve/resolv.conf lists 8.8.8.8 and 8.8.8.4 below 127.0.0.1. resolvectl status shows DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 127.0.0.1 DNS Servers: 127.0.0.1 in the Global section, but DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 8.8.8.8 DNS Servers: 8.8.8.8 8.8.8.4 in my interface's section (why?). tcpdump shows no activity at all on udp:53 when using a web browser, dig, or other normal usage. This I take to mean that my local dnscrypt-proxy is dealing with all DNS requests on my system. I also assume that because of the configuration settings mentioned above, I am going DNSSEC all the way. However, from time to time the journal contains lines like: Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question bolt.v.dropbox.com IN DS: failed-auxiliary Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question bolt.v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:41 tuxifaif systemd-resolved: DNSSEC validation failed for question bolt.v.dropbox.com IN A: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN SOA: failed-auxiliary Nov 30 09:10:43 tuxifaif systemd-resolved: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN A: failed-auxiliary - resolvectl query v.dropbox.com results in the same DNSSEC validation error - dig v.dropbox.com works just fine - dig v.dropbox.com @8.8.8.8 also works just fine (of course resulting in two lines of output for tcpdump) I also checked https://dnsleaktest.com , which tells me that a lot of 172.253.x.x servers are receiving a request to resolve domain names I enter into my webbrowser. These IPs seem to be owned by Google. So, what does this mean? Is there any (non DNSSEC) querying going on on this system? Any insights are appreciated!