My critique goes more in the direction of DNSSEC being a centralized infrastructure. I didn't mean that it is easily subverted but its possible, especially for an US state actor. Its definitely more transparent as SSL CA's for sure. However, for my communications I'd like rather rely on an infrastructure which is independent from centralized resources.