DNSSEC support in MacOS

After a very frustrating hour plus getting bounced around Apple's text chat -> phone -> "senior" phone support, I haven't been able to get any resolution, so hopefully someone here can do better.

I'm trying to get Apple's resolver to use DNSSEC validation when available, but tolerate unsigned zones (since unfortunately, most zones still aren't signed, but hey, at least I'll be able to truly trust the data from signed zones).

Unfortunately, Apple support punted and refused to even address the issue, trying instead to refer me to developer support, claiming that anything in terminal is outside of their scope of support (ignoring that Safari is having the same problem).

I found this thread from 2009: How to enable DNSSEC - DNS Security valid… - Apple Community

but the answer there was "Apple doesn't support DNSSEC validation".

I found a video from WWDC20 which showed how to force your own application to require DNSSEC validation, but that doesn't really help with wanting opportunistic DNSSEC validation in Apple's supplied client applications (e.g. Safari and OpenSSH).

Surely in the intervening 15 years, Apple has some way to do opportunistic DNSSEC validation, don't they?