I mean, given how just about all DNSSEC domains are bootstrapped through domain registrar interfaces and their APIs (which have been compromised in attacks before), that might not be the best idea. As a counterpoint I think despite it's flaws that removing any form of certificate/key pinning from browsers was a mistake, rather than learning from said issues (i.e Maybe provisioning pinning of the public keys through an HTTP header isn't the best idea.)