1.1.1.1 doesn't pass DNSSEC check on Android 9

I have 1.1.1.1 installed on my Android 9.0 enabled mobile device. When I visit the Encrypted SNI-site of Cloudflare, it confirms that I use 1.1.1.1, but the DNSSEC-check fails. The test at http://en.conn.internet.nl/connection also indicates that DNSSEC validation is not working. At my desktop, everything works well, although my desktop doesn’t use DoT/DoH.

How is this possible? My first assumption is that Android does a fallback to the DHCP acquired DNS-server on a SERVFAIL from 1.1.1.1?

Diagnostics: https://1.1.1.1/help#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJZZXMiLCJkYXRhY2VudGVyTG9jYXRpb24iOiJBTVMiLCJpc3BOYW1lIjoiWmlnZ28iLCJpc3BBc24iOiI5MTQzIn0=

In the meantime something has been changed. The check passes now.

Not sure if the app does this by default but resetting the WiFi on an Android device should flush your DNS cache.

I get the same message on firefox using 1.1.1.1 with DoH and ESNI