Gregory's ServerOn each attempt to connect to a federated instance:
1) check presence of TLSA record in DNS for _xxx._tcp.host.example.com where _xxx is the target port number used by Mastodon/Matrix
2) get the hash from the TLSA record
3) when TLS connection is established, verify the TLSA hash against the certificate actually received
Details https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities