Google: Maintaining digital certificate security

Right now Verisign can already spoof any .com domain that exists including any SSL certificates it uses. It can additionally spoof certificates for any domain anywhere.

Using DNSSEC for SSL certs would still give them the same power over .com, but it would eliminate its ability to spoof anything outside of that domain.

Then if a website owner doesn't trust Verisign, then can just avoid .com.

There is no simple solution to PKI that doesn't involve trusting somebody. However, using a hierarchical system tied to DNS at least greatly reduces the amount of trusting that you have to do. Right now navy.mil has to trust some Chinese CA to not spoof it, and vice-versa. In what world does that make sense?