Do you not see a problem with a massive deployment of new crypto infrastructure that leaves Verisign in cryptographic control of any site in .COM?

Oh, I definitely do. I was just trying to say that Verisign could already do a similar attack even without DANE. As controllers of .com they could easily redirect example.com to an evil server, and as a root CA they could give the evil server an EV certificate for example.com.

If anything, I suppose that should be an argument against consolidating DNS and TLS powers into single entities, which is exactly what DNSSEC and DANE do.