The change in 3.8 (corresponding to kresd 1.3.x) is that forwarding now does validate DNSSEC by default. I expect that in your case the servers you forward to obstruct obtaining the necessary records in some way, though it’s hard to be really certain based on the posted information alone.