So for exmaple for 1 1 1 this checks that the DANE part passes, but then returns false because DANE is necessary but not sufficient in that case. We can know DANE didn't specifically fail because no exception is raised, but if DNSSEC fails entirely also we get a return of false with no exception raised, so there is no way to tell these apart.

Suggestion: return an int code, 0 for fully verified success, 1 for DANE passed but there's more to do, and -1 for no DANE found or checked at all. Something like that.