You say "even non-existant DNSSEC" here, but, as a reminder: virtually none of the most popular/important/commercial/whatever-ranking-you-like zones on the Internet are signed. DNSSEC signing is not the norm.
Not quite true, many popular services do have it. Especially the big ones.
The thing is, I was mentioning DNSSEC as a "full disclosure". Any attack enabled by non-validated DNSSEC on passkey applies to any other form of verification too. I just wanted to make sure I'm not overselling the technology, it's not a silver bullet, but it's orders of magnitude better than anything else.
Name the popular services that have it. Here's a start: collect a list of popular domain names --- any of them will do --- and write a bash script that loops `dig ds $domainname +short` over all of them. You'll find that I'm not exaggerating, and that my summary of the state of play was in fact accurate.
There is no value to DNSSEC, which is why virtually nobody seriously uses it.
The thing is, I was mentioning DNSSEC as a "full disclosure". Any attack enabled by non-validated DNSSEC on passkey applies to any other form of verification too. I just wanted to make sure I'm not overselling the technology, it's not a silver bullet, but it's orders of magnitude better than anything else.