Above yet another design error became apparent of PKI and the use of a public CA, namely that the CA will sign a certificate for any domain, and that anyone who accepts the CA in his truststore must accept all those certificates.
With a protocol such as DNS-based Authentication of Named Entities: DANE (RFC6698: DANE for TLS (2012), RFC7671: DANE Operations (2015)), one can try to replace CAs by DNS. But DNS also has fundamental security issues, which one tries to remedy by Domain Name System Security Extensions (DNSSEC).