Please also enable the dnssec logging channel with at least "severity debug 3;" It will provide further logging to clarify what you are seeing. (By the way, the DNSSEC logging is becoming more clear and thorough, hopefully for BIND 9.7.0.)