OpenSSH has the ability to fetch the server's host key from DNS and to verify it using DNSSEC. This is very useful from an administration point of view as you don't have to roll out clients with the host key preconfigured.
We should consider enabling this support in our ssh and also mention it in the documentation.
There are some security considerations as well. ssh cannot reasonably validate DNSSEC all the way to the root, so it has to trust the resolver. That means that:
a) You trust that your resolver is friendly and hasn't been compromised
b) You're on a network where an attacker cannot spoof replies from the resolver
This is probably true on a corporate network, but probably not for laptops that are often on public networks.