DNSSEC is a promising technique to enhance the security of the DNS, by authenticating a chain of trusts in the DNS hierarchy. However, the deployment of DNSSEC is still on the way. One of the reasons of this under deployment is due to not enough reliability of DNSSEC validations in real world operations, especially DNSSEC validation failures due to operation misses. Thus, DNS operators require quick and reliable ways to detect such DNSSEC validation failures. The current best practice of this issue is to validate all the DNSSEC available zones periodically. However, this approach has a scalability issue. In this paper, we aim at detecting the validation failures by analyzing passively collected DNS queries at TLD-level DNS authoritative servers in a lightweight way, instead of by actively validating all the zones. In particular, we focus on changes of DNS query patterns at the authoritative server before and after DNSSEC validation failures. We conduct large-scale active and passive controlled measurements with RIPE Atlas probes and a dedicated authoritative server, to show the validity of this approach. We demonstrate that increases in DNSKEY queries are a promising candidate of metrics to detect the failures from passively collected query data. Also, we show that an increase in the number of queries is limited even for short TTL values of DNSSEC queries, thus shorter TTL is beneficial for mitigating caching effect for DNSSEC validation failures.