On each attempt to connect to a federated instance:
1) check presence of TLSA record in DNS for _xxx._tcp.host.example.com where _xxx is the target port number used by Mastodon/Matrix
2) get the hash from the TLSA record
3) when TLS connection is established, verify the TLSA hash against the certificate actually received
Would not it not add security?
I dont think that it would slow down federation, because it would not make sense to do a lookup every single time, but instead do it once every hour or when the TTL runs out.
If you are worrying about your DNS-hosting, then you should probably consider to change.
A instance dedicated - but not limited - to people with an interest in the GNU+Linux ecosystem and/or general tech. Sysadmins to enthusiasts, creators to movielovers - Welcome!