[jakasto]

If I understand the discussion correctly, I think tptacek is right but he's not explaining his position well, which might be why he's been downvoted.

I think he's saying: let's say the correct IP address for example.com is 192.0.2.80. Instead of hijacking the prefix containing example.com's nameservers, an attacker could just hijack 192.0.2.0/24 and immediately get a DV cert. Within seconds they would be up and running and DNSSEC wouldn't have done a thing to prevent it.