Anything that uses system-resolved is probably doing DNSSEC validation by default. It's becoming much more common.

Additionally, as I mentioned, openssh itself has support for validating the DNSSEC signature even if your local resolver doesn't. I actually don't think it can use the standard resolver for SSHFP records at all, but I'm not sure.