The simplest solution is to try to resolver one of the domains that are deliberately DNSSEC-broken for testing. An example (192.168.2.254 is my Turris Omnia:
% dig @192.168.2.254 A servfail.nl
; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> @192.168.2.254 A servfail.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35638
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;servfail.nl. IN A
;; Query time: 148 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Wed Dec 21 15:54:08 CET 2016
;; MSG SIZE rcvd: 40
SERVFAIL is normal, the domain has been broken on purpose.
Ideally, you could run dig with the +cd option (Checking Disabled) and therefore see the data. Unfortunately, a bug in the Knot resolver prevents it 
https://gitlab.labs.nic.cz/knot/resolver/issues/97
Also, when testing signed domains, you should see a AD (Authentic Data) flag. Another bug of the resolver prevents this simple test