DNSSEC has fallen out of favor recently. It's no longer a recommended standard for federal websites. It has not gained adoption in mainstream browsers. It's also a usability nightmare since you can't show anything to the user when resolution fails. This argument has been made in depth by eg. https://sockpuppet.org/blog/2015/01/15/against-dnssec/ or https://www.imperialviolet.org/2015/01/17/notdane.html.
I was wondering if you would consider disabling DNSSEC on the Sonic.net DNS resolvers. This might simplify the configuration, and make those servers more robust.