This is called DANE. I don’t know if I missed an implied /s in your message.

You overlooked the need for DNSSEC, so another PKI with his own quirks, and somehow less reliable than CAs.