All TLS/HTTPS clients have a set of Certificate Authority keys which they trust. Your client will only accept a public key which is signed by a trusted CA’s key. A proper CA will not sign a key for a domain when it has not verified that the entity that wants it’s key signed actually controls the domain.

If you’re going to mention Frank Zappa you also have to mention “Sheik Yerbouti” and “Ship Arriving Too Late to Save a Drowning Witch” by him.