@jonty Absolutely beautiful! They design the verification to work on DNS, but then create a fallback that does NOT use DNS - yet validates domains.
WebFinger as it is used here isn't much better, but its saving grace is that it validates name@example.domain profiles, not naked domains.