[Borealid]

First, the DNSSec keys are TOFU so only the first connection is attack-able by someone in control of DNS zone root keys, and any other connections set off alarm bells.

Second, DNS lets you connect to someone else's host and get their public key without needing to find their (not your) CA.

Third, if you're not entering IP addresses by hand DNS forms some part of your systems trust no matter what you do. You're free to pin a domain's DNSSec KSK if you're very worried about someone in control of the whole Internet using that control to trick your first SSH connections.

[tptacek]

All SSH keys are TOFU! You can't mitigate the state-controlled PKI thing by saying it's TOFU; you get that property even without DNSSEC!

[Borealid]

I don't deny that, I was just pointing out that the threat model in question is someone in control of every DNS record somehow making a change that only affects new SSH connections. Because they control the record that says which KSK is okay for which domain, but presumably don't have your DNSSec private key.

The attack would be delicate to say the least .

Repeating, the purpose of DNS is for discovering sonething you don't administer. Like the SSH public key of a host, or the mailserver for a domain. CA certificates are for securing something you do administer.