[tialaramex]

Web PKI CAs aren't psychic, they just use DNS. So your claim ends up being that you believe DNS answers from the DNS can be tampered with by parties who control those answers (which includes the TLD registrar, this part checks out), but, somehow every Web PKI CA would know if this happened and disregard the results.

Not only is your claim obviously not true in principle, we know it's not true in practice, disrupted DNS causes real issuances which are let's say... suspicious. They're not mis-issuance under current policy because the Web PKI trusts the DNS, but they would trigger exactly the scenario you believe can't happen.

[nickf]

You're right of course, but there's progress being made to require multi-perspective verification (do DNS lookups from many different and ideally randomised locations, only issue if you get consensus). It's not perfect, but it's a great step in the right direction.

[yencabulator]

DNSSEC can be tampered without leaving a trail of evidence. If you MitM DNS for all the outbound IPs a CA uses, the end result of that gets logged in Certificate Transparency. And since 1) sites can and do monitor CT for their domains and 2) browsers demand the certificate has been submitted to CT, we know that e.g. google.com is not MitM'ed.