I tested John's latest release overnight and it worked very well with Stubby and DNSSEC enabled. The ability to make changes to upstream resolvers in the GUI is great for the average user.
I decided to go back to Merlin 384.7_2 with the Entware Stubby add on because of a couple of "extras" that are included in the firmware.
I also wanted to try a different location for the trust anchors. The default location is on the USB drive which is not really a fast read/write. I had mentioned a while back that I tested using the /jffs to store the trust anchors and got loads of grief about wearing out the NAND. Thinking about where elst that is fast I decided to try the /dev/shm as in most Linux distros this is tmpfs or, for the old guys, RAM drive. Asus probably does not have a lot of space there to use but with three files of 7KB total it should work. And it does quite well.
In the stubby.yml change to:
Some of you will quickly point out that tmpfs is wiped on restart and those three files will be lost forever. So what? Stubby will download fresh trust anchors the first time a DNS request is made.
Oh, I have set the NTP Server to an IP address of a time server.
Am also successfully using the CleanBrowsing Security resolvers.