Do I understand correctly: With DNSSEC the bar will be raised because the registrar of a specific domain will need to be compromised to change the DNS entries? So some misc country's CA that ends up trusted for whatever reason will not be able to sign records for another TLD?
