Since I've been trapped at home due to the pandemic and have more free time, I've recently enhanced my command line iterative DNS resolution testing tool, "resolve.py" to fully support DNSSEC validation. It was quite a bit of work, but I'm pleased with the results so far.
The tool is available at:
From the README file ..
A command line iterative DNS resolution testing program
A command line tool to perform iterative DNS resolution of a single DNS name, type, and class. If either type or class or both are omitted, then a default type of 'A' (IPv4 address record), and a default class of 'IN' (Internet class) are used.
I originally wrote this program to investigate the behavior of authoritative servers in the presence of query name minimization. Since then I've gradually developed it into a more full fledged iterative resolver. These days, I typically use this program to debug a variety of DNS problems. I prefer it over "dig +trace", because the latter only resolves the exact name given to it and does not follow CNAME and DNAME redirections, does not support query name minimization, and does not perform DNSSEC validation. (The newer "delv" program that ships with ISC BIND, does do DNSSEC validation, but requires the help of a DNSSEC aware resolver, and does not perform iterative name resolution by itself).