[roblabla]

DNS can trivially be mitm'd. DNS-stored fingerprints are strictly less secure than TOFU.

[tialaramex]

If you use DNSSEC (cue inevitable rant from Thomas) this just works. If you have DoH (and why wouldn't you?) and your trusted resolver uses DNSSEC (which popular ones do), you get the same benefits.

https://en.wikipedia.org/wiki/SSHFP_record