How does that work in practice? Wouldn't you need to have a key signed by the next highest upstream authority to make this work, or do clients not do any checking if the key for com. changes between requests? Wouldn't the only sure-fire way to do spoofing for foobix.com. be to have a shadow root with its own complete key infrastructure for all possible zones all the way down to the one that is being spoofed? You aren't going to be able to re-use any of the legitimate public key material because the trust relationships won't be compatible with the spoofed resources, right?
As long as clients don't accept the upstream keys in the hierarchy changing between requests, to spoof one child domain you have to spoof them all, right?