You don't understand how DNS works. The root is controlled by a US organization (not the government, but whatever) and it delegates individual TLDs to other organizations in other jurisdictions.
So if the US government wants to fake (for example) mail.google.cz it needs to:
1. Create a fake .cz record and sign it with the root KSK.
2. Make sure only you see this record (so they must control the network path to you).
3. Create a fake response.
This is technically possible, but highly unlikely. It's also going to be very visible and easily detectable.
I think the attack tptacek is suggesting is where a government replaces your key with their key, and your nameservers with their nameservers (perhaps with a passthrough for non-interesting records), at which point they can send whichever responses they want with a valid signature.
In your example the Czech government would be the bad actor, but the US government could be the bad actor for .com.
The thing is, I can pick and choose the government to host the website. If I don't like the Czech government's policies, I can use a domain in Turkey or Libya.
The hierarchical nature of DNS makes it impossible for the US to covertly mess with that.
This is strictly better than the current situation where de-facto any government can get a certificate for your domain name by putting pressure on one of the countless CAs. And quite a few governments even have their own CAs recognized by browsers.
This is how you know the argument has lost the plot: your response to government manipulation of Internet cryptography is that Google can just leave .COM.
So if the US government wants to fake (for example) mail.google.cz it needs to:
1. Create a fake .cz record and sign it with the root KSK. 2. Make sure only you see this record (so they must control the network path to you). 3. Create a fake response.
This is technically possible, but highly unlikely. It's also going to be very visible and easily detectable.