I wonder if you add “proxy-dnssec” to /jffs/configs/dnsmasq.conf.add and restart dnsmasq, does that help?Blindness sometimes an issue here as well....... :-(
However, yes, DNSSEC enabled breaks DoT for me, regardless of servers chosen. (I’ve tried with all Cloudflare, & all Quad9, no difference.)
DNSSEC + DoT totally kills my WAN connection.
So, I can have DoT, or DNSSEC, but not both.