When in iterative mode (-r /dev/null -i etc/root.hints), the validator will most certainly encounter non-dnssec-aware name servers. If the query name is expected to be trusted, queries are sent with the CD bit set. Some non-dnssec-aware name servers will return FORMERR, which the resolver treats as a fatal error.
I can see 2 potential solutions for this:
1) remove the name server from the name server list and move on to the next.
2) mark the name server as non-dnssec-aware, and try again without the CD bit set.