The original intent of DNSSEC was to provide an IETF-endorsed public key infrastructure, not to defend the DNS from attacks. The idea was, "we have this great DNS protocol, it works well at Internet-scale, let's leverage it for something other than hostname resolution".
The reality of DNSSEC is that it's creaky, somewhat broken, solves neither the PKI nor the DNS protection problem well, and --- because it is likely to pervasively screw up applications across the Internet --- unlikely ever to be deployed.
Either way, there's no magic bullet. If you concede root keys to China, you have to concede DNSSEC keys --- which are, if anything, more loosely held and more widely distributed than CA keys, which have never had a known breach.
The reality of DNSSEC is that it's creaky, somewhat broken, solves neither the PKI nor the DNS protection problem well, and --- because it is likely to pervasively screw up applications across the Internet --- unlikely ever to be deployed.
Either way, there's no magic bullet. If you concede root keys to China, you have to concede DNSSEC keys --- which are, if anything, more loosely held and more widely distributed than CA keys, which have never had a known breach.