What problem are we solving, exactly? No eavesdropping is simple enough. No MITM is not preventable without information known to come from the intended source. Presently we have "all knowers" called certificate authorities. We trust them as a collective not individually. Their security depending on their collective is a fatal mistake. The idea of an all-knower is very, very convenient for the design of these systems.

Yet, is it required? Surely there must be a distributed, not decentralized* approach that works to spread information with certainty. 

The problem then lies with the link between the security record (signature, proof of private key) and the name record (DNS). Simply signing the DNS records would be enough, then the DNS records must be provided properly. This is moving the problem. Yet, it is moving the problem to the DNS provider, which also suffers from the centralization weakness that persists in such decentralized arrangements.

Having a DHT in which several known friends are anchored might allow that DHT to "vote" on the subject. Every node will accumulate the votes from its trusted neighbors and vote on what the majority agrees on. Heuristic, but typically functional. And we swat two flies with one blow. SDNS, (Secure Distributed Name Server) a mapping from name to signed machine location data. 

In this future the overhead for security is as big as the signature for the SDNS record, and the encryption and decryption on the data itself.

--Lewis

*the current approach defies the boundary between centralized and decentralized. I believe that, in practice, we could better describe it as centralized.