Then the notion that we have "1500 CAs", so what we really need to do is invest every DNS zone with CA powers (because if 1500 is too many, millions is better?).
I think you've shot rather wide of the mark here. Every DNS zone does not have CA powers, at least not in the sense that payp4l.com could vouch for paypal.com. Sure, paypal can bone up their own zone. Or .com screws up (that'd be bad). But an honest appraisal would recognize that the dnssec solution means there is exactly one CA per domain and you know in advance who it is. That's way better than having to guess which of 1500 CAs is the legit signer.
I think you've shot rather wide of the mark here. Every DNS zone does not have CA powers, at least not in the sense that payp4l.com could vouch for paypal.com. Sure, paypal can bone up their own zone. Or .com screws up (that'd be bad). But an honest appraisal would recognize that the dnssec solution means there is exactly one CA per domain and you know in advance who it is. That's way better than having to guess which of 1500 CAs is the legit signer.