It's something of a technical limitation though: there's no reason all my devices - the consumers of my domain name - couldn't just accept that anything signed with some key is actually XorNot.com or whatever...but good luck keeping that configuration together.

You very reasonably could replace the whole system with just "lists of trusted keys to names" if the concept has enough popular technical support.