I'm not sure I understand your questions right, but if you present a DNSSEC key that's not properly signed the resolver returns with an error code. It would be a truly malicious application that came with its own resolver and forced a connection anyway.
So the answers would be, in order, that DNSSEC does not replace SSL, but the latter can take advantage of the former. There's no need to prompt the user as the resolver can prove a key belongs to a certain DNS domain.
I think nobody advocates blocking access to unauthenticated domains completely, but to domains with bad signatures. So applications can work just like today when a domain is not signed, but can take advantage of it when it is.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds