It doesn't eliminate fraudulent certificates, but it reduces a gazillion points of failure to one point of failure. Currently, compromising one CA allows you to forge any certificate you like -- and there are what, thousands of CAs? If we used DNSSEC instead, the only way to inject a forged certificate would be to compromise the DNS servers of the site itself, or the DNS servers of a higher-level domain. For a high-profile site, that reduces the attack surface to almost nothing. Instead of being able to forge google.com certificates by exploiting any CA on the planet, you suddenly have to exploit either .com TLD nameservers, or google.com nameservers . . . which is going to be close to impossible in either case.
A shorter-term and less complete solution would be to extend HTTP Strict Transport Security to say "ignore any certificates that aren't signed by this specific CA". That would also drastically reduce attack surface, and although in the long run it's probably inferior to DNSSEC, it would be much easier to deploy.