Why not get rid of all certificate authorities and all the special kind of SSL certificates there are (extended validation etc. etc.) and instead just require anyone who wanted SSL to write their own self signed SSL certificate and then have them stored in DNS records.
Wouldn't that be easier then having to put trust in both 3rd party certificate authorities and in DNSSEC? Also then you could remove those security warnings given by browsers when using self signed certificates, I mean as long as your DNS wasn't poisoned then there wouldn't be a problem, also you have a huge number of choices when it comes to DNS providers which you don't have when it comes to certificate authorities trusted by common browsers.