I know quite a bit about PKI and X.509, and I can tell you that much: the overlap with how DNSSEC works is limited.

As is the overlap between DNSSEC and DNS itself, to be honest.

I once worked at the level of administering DNSSEC for 300+ TLDs. It's its own world. When that company was winding down, I tried to continue in the field but the most common response (outside of no response, of course), was 'we already have a DNS team/vendor/guy.' And well, then things like this happen. I won't throw stones though, it's a lot to learn and can be incredibly brittle.