AFAICT, anyone who controls .com can add or replace a cert for ycombinator.com, but only visibly. If they do it, they show the change to the entire world at once, because .com is signed with dnssec. Right?
Your parent mentioned Certificate Transparency. Under CT all the public CAs log certificates they issue, and everybody can see the logs, programmatically (with cryptographic security) or via a log monitor like crt.sh
So yes, bad guys operating a TLD can trick a CA into issuing for a domain under theirs, but the CT logs would preserve evidence of this cert existing, and the CA is required to keep records of why it was confident to issue. Monitors would know about the cert in 24 hours (usually much less)
The idea behind the attack they're talking about is that the USG has de jure control over .COM's DNSSEC keys, and so they can in fact edit .COM transparently.
So yes, bad guys operating a TLD can trick a CA into issuing for a domain under theirs, but the CT logs would preserve evidence of this cert existing, and the CA is required to keep records of why it was confident to issue. Monitors would know about the cert in 24 hours (usually much less)