The problem Kazakhstan had was that there was no existing CA they could already force to issue certs. So they had to make a new one. It would be foolish to assume that none of the many trust anchors your browser already trusts haven't already been compelled by your local government to do exactly this.
Also, DANE and DNSSEC solves this problem.
DANE is, unfortunately, not viable to implement in browsers right now for a variety of reasons: https://www.imperialviolet.org/2015/01/17/notdane.html
CT makes such an attack obvious, but the harm can't be undone.
A case study: root certificates for the GPKI, the South Korean governmental CA primarily used for public institutions, are not included in most browsers except for maybe IE  but frequently trusted due to (still) prevalent uses of ActiveX controls. It is of course subject to CA/B Forum baseline requirements  and publishes CT records, so you may guess their "accidentally" invalid wildcard certificates  are quickly spotted... Heck no! It was only noticed 3 years later . No one knows what happened in this period.
 For example, Firefox doesn't include it: https://bugzilla.mozilla.org/show_bug.cgi?id=1377389
 For example, https://crt.sh/?id=6990343 contains a public suffix `.co.kr` (comparable to `.com`). Note that the BR contains very strong requirements for such public suffixes, which the GPKI didn't follow.