It also relies on the zones being looked up actually being signed with DNSSEC, but virtually none of them are. After 25 years of standardization effort there is practically no deployment of DNSSEC among the popular Internet or in the US. The protocol is moribund; it's not worth configuring.