DNS forwarding doesn't work because MAAS enables dnssec

I have a MAAS server that uses a box running dnsmasq as a DNS forwarder.

With MAAS enabling dnssec by default, I get errors like these and DNS resolution from the MAAS provisioned machines doesn't work beyond what MAAS manages.

Aug 21 01:29:17 maas-region-hkg named[1147]: error (no valid RRSIG) resolving 'mediawiki/DS/IN': <ipv4addr>#53
Aug 21 01:29:17 maas-region-hkg named[1147]: error (network unreachable) resolving 'mediawiki/DS/IN': <ipv6addr>#53
Aug 21 01:29:17 maas-region-hkg named[1147]: error (network unreachable) resolving 'mediawiki/DS/IN': <ipv6addr>#53
Aug 21 01:29:17 maas-region-hkg named[1147]: error (insecurity proof failed) resolving 'mediawiki/AAAA/IN': <ipv4addr>#53
Aug 21 01:29:17 maas-region-hkg named[1147]: error (insecurity proof failed) resolving 'mediawiki/A/IN': <ipv4addr>#53

/etc/bind/named.conf options contains this stanza:

//
// This file is managed by MAAS. Although MAAS attempts to preserve changes
// made here, it is possible to create conflicts that MAAS can not resolve.
//
// DNS settings available in MAAS (for example, forwarders and
// dnssec-validation) should be managed only in MAAS.

I I disable dnssec, name resolution works, and I didn't find a place in the web UI where I can disable dnssec.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: maas 1.7.6+bzr3376-0ubuntu2~14.04.1
ProcVersionSignature: Ubuntu 3.19.0-25.26~14.04.1-generic 3.19.8-ckt2
Uname: Linux 3.19.0-25-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.11
Architecture: amd64
Date: Fri Aug 21 02:55:27 2015
InstallationDate: Installed on 2015-08-10 (10 days ago)
InstallationMedia: Ubuntu-Server 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: maas
UpgradeStatus: No upgrade log present (probably fresh install)