The only bit I was interested in was libval, which has DNSSEC-validating versions of the get*by*() and get*info() functions. https://www.dnssec-tools.org/wiki/index.php/Libval_and_libsres
No, what you want is the validating version.
The standard getaddrinfo() simply asks the resolver for an address. The resolver attempts to validate the data, fails, and returns SERVFAIL; you get nothing.
The validating version (I believe it’s called val_getaddrinfo()) takes responsibility for validation by itself. It asks the resolver to provide the address data and associated DNSSEC data, warts and all, without validating it. (In other words it sets the CD bit on the query.) Then it does its own validation. What you get is the data requested, plus information about its validity, so you can decide for yourself whether to use the information or not.
Honestly, what you really want is a simple flag to getaddrinfo() to set the CD bit. But val_getaddrinfo() is one way to get there without having to muck with glibc or whatever library getaddrinfo() lives in.