I agree with you that shifting the trust to DNS providers will not really solve much. But my point was actually: If the dnssec cannot be trusted, why should perspectives be trusted?
However, I still think DNSSEC is good. First it can be implemented additional to CAs, so there are 2 layers of security. Second, only the dns provider can compromise a specific site and not a huge number of unrelated organisations.
The approach I like best is using .onion like addresses with the crypto key encoded in the url.