For what it's worth, I reported a related issue up to the systemd-devel mailing list, and it looks like in systemd 233 (the next version) things work much better with DNSSEC. https://lists.freedesktop.org/archives/systemd-devel/2017-April/038698.html
I rebuilt the 233 out of debian experimental, and at least for my use case, this all worked now.
For what it's worth, I reported a related issue up to the systemd-devel mailing list, and it looks like in systemd 233 (the next version) things work much better with DNSSEC. https:/ /lists. freedesktop. org/archives/ systemd- devel/2017- April/038698. html
I rebuilt the 233 out of debian experimental, and at least for my use case, this all worked now.