Comment by cyberax

No?

With DNSSEC, the public key is communicated to the top-level domain registry through out-of-band means. Presumably over a secure TLS link that can't be MITM-ed. The hash of the public key ("DS record") is, in turn, signed by the TLD's key. Which in turn is signed by the well-known root zone key.

So the adversary won't be able to fake the DNSSEC signatures, even if they control the full network path. They need to compromise your registry, at the very least.