If u have a state-owned, state-run DNS service with a root zone and cooperation (forced or not) from ISPs, you really would not have to care about https, and if CT services are not reachable nobody would know.
Aren't there private and public keys involved ? Public keys are pre-packaged with clients (Firefox/Chrome/etc), so the state can't just change or fake the private keys.
Maybe they would force all clients to prepackage a government key and then change all infrastructure to pretend all websites use this public key for their https traffic?
