That's not completely correct surprisingly. You can put SSH public keys into DNS records with the SSHFP type and use DNSSEC to have a complete trust chain rather than using TOFU. It's disabled by default in OpenSSH however, and I'd be pretty surprised if there was any large group of people making use of it presently.
I found it amusing that all it changes is a single line in the TOFU output, adding "Matching host key fingerprint found in DNS." among all the other scary warnings.
https://en.wikipedia.org/wiki/SSHFP_record
described in
https://datatracker.ietf.org/doc/html/rfc4255#section-3
I found it amusing that all it changes is a single line in the TOFU output, adding "Matching host key fingerprint found in DNS." among all the other scary warnings.