This sounds to me like everybody has to use the same DNS resolver or plug into the same DNS resolution services somehow. And those have to plug into blockchain. And then you've got DANE and TLS fingerprinting, and how much other stuff?

I find it far simpler to just use self-signed certificates, set the certificate verifier to ignore the issuer-trust relationship and just verify the self-signature matches the pubkey, and then check if the key in the certificate is the nostr key of the relay you were trying to connet to. Zero external services, no DNS, no blockchain, nada. Just client-server. Of course, where my idea falls down (which I think I already explained) is that in nostr relays don't have keys they have URLs. But other than that, far simpler.