> Instead of being able to forge google.com certificates by exploiting any CA on the planet, you suddenly have to exploit either .com TLD nameservers, or google.com nameservers . . . which is going to be close to impossible in either case.
What about country TLDs? If a government wants to do a MITM attack, it can surely control the country-level nameserver.