Your plan seems reasonable. I think step 1 introduces a slight weakness in that clients will now accept more host certificates than they previously did.
> 3) make step 2) optionally through a config parameter such that those > that do not want to rely on insecure-dns at all can turn it off. I think that eventually the default for this should change so that DNS is not used (perhaps preceeded by several years of outputting a warning that insecure DNS lookup is being performed). Another thing I find equally unpleasant about host certificates in the presence of multiple CAs (which is the case in all but the most trivial deployments) is that any CA may issue a host certificate for any host; and so (to a first approximation) any person may acquire a host certificate for any host name whatsoever, which can then be combined with a spoof of the forward lookup DNS. --
