Also, Verisign the CA works for Verisign, while Verisign the TLD operator (.com, .net, .gov) works for the US govt.

And this conversation we're having about distrusting WoSign? We couldn't even have it about abandoning .com.

People should look into Moxie's thoughts on "trust agility" where he specifically addresses DNSSEC/DANE and recommends against it. It's a great read.

https://moxie.org/blog/ssl-and-the-future-of-authenticity/