this sounds like exactly the same problem that you have today with SSL certs.
if you assume that the client, server, and trusted third party are all intact then you don't have anything to worry about.
no need to add another layer (with the dns) with the same limitations.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds