For the last part, I'd say it's more like this: The server needs a public/private key pair to set up the key exchange for HTTPS. Before DNSSEC+DANE (which no one implements... ugh), there was no secure way to know if a public key of a server is really that server, or a malicious actor in the middle pretending to be them. So, certificate authorities (CA) were created, which try to do secure checking of you owning the domain name before giving you a certificate saying "This public key is trusted for this domain". And your OS vendor trusts a certain set of CAs that they know is good and reliable, but not just anyone, because any trusted CA could spoof any website they want, like google.com. With newer CAs like Let's Encrypt the ownership checking is automated and they check your DNS from multiple random points on the internet to ensure there is no one tampering.