[throwaway2048]

even in the case of existing CA model+key pinning (at least before the key is pinned) you are still trusting the governments controlling the TLDs are not going to fuck you.

Id rather trust a handful of cctld nation states, than the nation states + everybody with access to a CA cert.

Also the idea that dnssec tld keys cannot be rotated is pure FUD, the root key signing keys themseves cannot, but they were extremely careful there.

If tampering is detected, do you really think TLD keys are going to be left alone, and not regenerated and the process extremely closely scrutinized?