[Borealid]

I don't deny that, I was just pointing out that the threat model in question is someone in control of every DNS record somehow making a change that only affects new SSH connections. Because they control the record that says which KSK is okay for which domain, but presumably don't have your DNSSec private key.

The attack would be delicate to say the least .

Repeating, the purpose of DNS is for discovering sonething you don't administer. Like the SSH public key of a host, or the mailserver for a domain. CA certificates are for securing something you do administer.