DNSSEC

My suspicion is that DNSSEC addresses issues of subverting the network outside DNS servers, but does not address subverting the appointed DNS servers themselves. That is the main reason I am studying the definition.

The document seems oriented exclusively to the SSH protocol. I consider it here as a proposal for https as well. I am unaware of any different requirements.

Section 2.2: Bravo.
This describes how to manage the key agreement options that a client (browser, ssh app, etc.) might use so that the user, on the client end, might know what the rules are. This is a very good requirement and I don’t know any app that does this today.

I would argue for two default modes, a factory setting and a “preferences setting” which could be examined and modified by the user so as to last between sessions. Finer grained policy should probably be interactive with the application displaying any reasons to believe that some fingerprint is the right one.