Comment # 3 on bug 1192282 from Reinhard Max

This is intended behaviour due to the change of the default for
--dnssec-check-unsigned in version 2.80. To restore the old insecure behavior
you can set

dnssec-check-unsigned=no

--- snip ---
       --dnssec-check-unsigned[=no]
              As  a  default,  dnsmasq  checks  that  unsigned  DNS
              replies are legitimate: this entails  possible  extra
              queries  even for the majority of DNS zones which are
              not, at the  moment,  signed.  If  --dnssec-check-un-
              signed=no  appears  in  the  configuration, then such
              replies they are assumed to be valid  and  passed  on
              (without  the  "authentic  data" bit set, of course).
              This does not protect against an attacker forging un-
              signed replies for signed DNS zones, but it is fast.

              Versions  of  dnsmasq  prior to 2.80 defaulted to not
              checking unsigned replies, and  used  --dnssec-check-
              unsigned  to switch this on. Such configurations will
              continue to work as before, but those which used  the
              default of no checking will need to be altered to ex-
              plicitly select no checking. The new default  is  be-
              cause  switching off checking for unsigned replies is
              inherently dangerous. Not only does it open the  pos-
              siblity  of  forged replies, but it allows everything
              to appear to be working even when the upstream  name-
              severs  do  not  support  DNSSEC, and in this case no
              DNSSEC validation at all is occurring.

--- snap ---