Quoting a Let's Encrypt enginner here:
This doesn't sound like discussing about DNSSEC here is going to help anyone. Based on my understanding of the situtation, the DNSSEC is fine for the top TLD. The issue appears to be that Let's Encrypts resolvers are blocked by top nameservers, only receiving a bogus response. The DNSSEC query just happens to be (one of) the first queries unbound hits the top nameserver with. Hence the DNSSEC failure is likely to be a symptom of the problem, not the cause. This also explains why every other resolver has zero issues with the DNSSEC for the top TLD.