[xorcist]

Not necessarily. You could also place domain validated trust in the registrars, to cryptographically verify their delegations. That would build a chain of trust which you in turn could use to validate keys for services in those domains.

[Natanael_L]

That's the DNSSEC+DANE approach and that's still the same as the DNS approach I listed (trusted name registry lists), except that the address isn't an IP-address (or in other words, your domain's DNS server that says what IP addresses your subdomains have is itself identified by a public key).