router – Does Cloudflare’s DNS-over-TLS implement DNSSEC too?


DoT and DoH are both essentially just encrypted tunnels for traditional DNS.
These protocol variations do not make any inherent guarantees regarding DNSSEC behavior and they also do not make any attempt of functionally replacing DNSSEC. So there is no general answer for DoT or DoH across the board.
As one technology does not replace the other in this case, you probably want both.

Now, if the DoT (or DoH) service provider promises that they do DNSSEC validation (in the case of 1.1.1.1 I’m pretty sure this is the case operationally, but I don’t know that they have committed to this in any legal sense) and you actually trust them with this, you could just have the DNSSEC validation happening on their end of the DoT (or DoH) tunnel.
Otherwise (if they do not validate, or you just cannot trust that they will consistently validate), you need to validate on your end just like with plain DNS.