I touched on this in the parallel comment where you linked this, but worth noting that DNSSEC does not solve this threat model, because re-routing the destination of legitimate IP addresses does not rely on modifying DNS responses.