I think this might be kresd #359.
aljazeera.com. has said invalid configuration:
aljazeera.com. 300 IN CNAME 2-01-3b91-0003.cdx.cedexis.net.
2-01-3b91-0003.cdx.cedexis.net. 20 IN CNAME www.aljazeera.com.edgekey.net.
www.aljazeera.com.edgekey.net. 21600 IN CNAME e9106.dscg.akamaiedge.net.
e9106.dscg.akamaiedge.net. 20 IN A 188.8.131.52
When I Googled that DNSMasq error message, that was the only concrete explanation I found. For all I know, it could happen for lots of other reasons too.
(Relating to a different domain and resolver.)
There’s no issue with kresd’s own, internal DNSSEC validation – as far as I know – but there are issues with its responses that can break validating clients.