Questionable DNSSEC usefulness
At page https://community.torproject.org/relay/setup/exit/#dns-on-exit-relays there is a recommendation to use DNSSEC-validating local resolver.
But does it help anything? If validation fails, resolver will SERVFAIL and either OS will try fallback one (likely not validating) or exit will return error to client and client will retry on another circuit.