You're right, there is no objective way to say which is the "correct" google.com, you have to have some trusted body giving out monopolies on individual names. But that's not the problem that needs to be solved: the problem here is the body revoking names afterwards.
I think that it *is* possible to create a system where names are assigned permanently and can't be taken back. It might look something like this:
1. You buy example.com in the traditional manner from an untrusted legacy registrar.
2. You generate yourself a public/private keypair, and with it claim ".hash" or somesuch. These domain names won't collide and you can prove your ownership with a digital signature.
3. Any of several partly-trusted CAs signs a non-expiring DNS record pointing example.com to .hash.
4. Said CA retires their certs rapidly, say weekly, and publishes the entire list of signed DNS records somewhere publicly accessible. Each signature links to the next in a manner that proves they have signed no other records with that cert. (*)
5. You upload your signed example.com record to both the legacy DNS and a secure hash-based p2p network. (**)
5. You upload a regular, updatable/expiring DNS record for .hash into said network as well.
6. Upon doing DNS lookup, DNS servers ask the p2p network for valid, signed records; if they exist they are cached and the legacy DNS is not consulted. If not (or more likely in parallel), legacy DNS is asked and if a valid, signed *.hash redirect is found it's cached and reinserted into the p2p network (hopefully forever). Only if no signed records at all are found is the old, vulnerable record used.
If ICANN/the department of louis vitton/whoever tries to hijack the domain name, they'll only do so for users not on the new system. Upgraded users will ignore the change.
If the CA tries to make forged records to redirect your permanent redirect it will be invalid (if done after the fact) or publicly detectable (if done in advance).
If you're running a security-aware DNS client and your middle-tier DNS server is up to shenanigans the certs won't verify.
The best part is this could be done from the middle-out without the consent of ICANN or need to reconfigure client devices--you just need one upgraded DNS server anywhere in the hierarchy above you.
There is no possible after-the-fact ambiguity over who owns the name so long as all the CAs get together and promise not to re-assign an already used name (which would be detectable and should result in them being banned from making further assignments)
(*) I think this is a solved crypto problem and a workable solution is described in the 1996 version of Bruce Schneier's Applied Cryptography but I don't remember where I put it
(**) This is a theoretically a solved problem and mostly solved in practice