[takeda]

How is that worse? You already have US government in your CAs, for example Federal Common Policy CA. At least with DNSSEC only the organization that owns the TLD can issue certificates. With CA system in the browsers a country you might never heard of can issue certificate for google.com (which already happened).

Yes, the danger could be root certificate is managed by a single organization, but this can be easily solved in software of DNS server (for example ignore root and store certificate for every TLD, or implement policy to trust it only for certain TLDs). I would not be surprised if that's already implemented.

Now with ICAAN move (which I personally am not a big fan of) there are TLDs that are owned by private organizations, so it is possible to have entire chain without any government being involved in it.

[hueving]

You don't have to trust the government CAs. A specific CA isn't part of SSL protocol.

[takeda]

But it is an essential part of it and those certificates are provided to you upstream.

Disabling them is discouraged, if you disable them you might start having issues (for example I disabled CA's on my Android phone) then noticed that many of my apps started crashing or had weird issues without providing meaningless messages.

If you disable them chances are that new version of the software will enable them back. You're essentially forced to live with them.