using DNSSEC lookaside because registrar cannot inject DS records

Parts of the question are clearly opinion based but I'll try to address the specifics of relying on DNSSEC lookaside (DLV) at this time.

First of all, lookaside support is implemented in several of the major validating resolver software implementations but not all. Even where the software implements lookaside support it is not generally enabled by default (probably as its use is not entirely without controversy - not a "real standard", central repository of trusted keys, etc.).

Nowadays, with the root as well as most of the TLDs signed (and hopefully allowing creation of signed delegations) I don't think it's far-fetched to assume that adoption of lookaside in new deployments is likely dropping a lot except in cases where the system owner themselves are relying on lookaside for their own needs.

As a couple of examples of some popular validating resolver servers, Google's public resolvers do not make use lookaside, neither does Comcast's.

Overall, it would seem that lookaside is still better than nothing in that it's still potentially useful even though it seems like its usefulness is dropping.

If possible (ie, if you have any idea which resolver servers most of your clients will be using), you may want to do some testing to figure out how useful relying on DNSSEC lookaside is for you specifically. Querying validating resolver servers for eg nsec3.dlvtest.dns-oarc.net (and observing the AD flag in the response) would be a good start.

Some potentially useful reading (although a couple of years old):

• http://lists.dnssec-deployment.org/pipermail/dnssec-deployment/2013-November/thread.html#6940
• http://blog.huque.com/2013/09/isc-dlv-registry-usage.html