Before IPFire 2.19 core update 106, this required that the DNS servers the IPFire DNS proxy forwards queries to also must verify DNS responses. Because dnsmasq did not recursively resolve DNS queries, it needs to know if the domain supports DNSSEC and will then execute a verification for the requested DNS record. This limitation was removed after replacing dnsmasq with unbound.
Check out this great YouTube video that explains how DNSSEC validation works:
YouTube - How Does DNS Works : Resolving DNS With DNSSEC
In order to find out if your system properly works with DNSSEC, check out the DNSSEC resolver test from Universität Duisburg-Essen.