Current proposed solution
4

Resolver should give the application more information 

In stead of SERVFAIL, give back:
an error array: multiple bits encode the error
DNS name of the node where things went wrong

Example:
example.org has the wrong DS records for banking
Resolver gives back:
error code indicating a problem with the DS RR
the dns name: example.org
Application can now show this to the user