Wrong, TLS security is independent from DNS. If my threat model includes nation states I'll trust my own certificates or my very own CA.

You trust your browser's root program, not "all CAs".

That’s not all what CA means in standard usage. Terms like WebPKI exist specifically to make that distinction since, for example, the U.S. government runs its own certificate authorities which are trusted by millions of clients and even some mainstream software (Adobe) but not browsers. This is far from unique as far as governments go, and in some cases may even be required within a country.

Those non-web CAs are not the topic of discussion, though. When we are discussing the DNSSEC PKI, we are not discussing any altroots¹. When people are discussing the CA system for TLS, they overwhelmingly mean the normal web CAs.

1. https://en.wikipedia.org/wiki/Alternative_DNS_root

"The normal web CAs" means "the Mozilla and Chrome root programs". There are other CAs, and some of them are even in the root stores of other browsers, but they're not "trusted" in the sense you meant upthread.

No, obviously, different TLS programs have different root programs.

No, again in that threat model I can decide exactly which certificates and which CA I trust, one by one.

If your threat includes nation states then DNSSEC is double-useless?

If your threat model includes nation-states then DNSSEC won't help you either. WebPKI at least has a method for keeping track of and detecting misissuance, DNSSEC doesn't.