Have you considered adding SSHFP records^1 (and consequently DNSSEC) for bgp.tools to make:
❯ =ssh lg@bgp.tools
The authenticity of host 'bgp.tools (185.230.223.150)' can't be established.
[...]
disappear at least with the modern OpenSSH clients?
P.S. When looking for the DS/DSKEY records for the domain I discovered that NS/SOA records across the name servers that serve bgp.tools are inconsistent. Probably it's because you're managing zone data with APIs and not relying on AXFR, still decided to let you know.
DNSSEC is a no-go with the current (and reasonably new) DNS setup (multi "big" vendor DNSSEC is really hard), and I cannot in good faith put SSHFP records on the zone without DNSSEC
Have you considered adding SSHFP records^1 (and consequently DNSSEC) for
bgp.tools
to make:disappear at least with the modern OpenSSH clients?
P.S. When looking for the DS/DSKEY records for the domain I discovered that NS/SOA records across the name servers that serve
bgp.tools
are inconsistent. Probably it's because you're managing zone data with APIs and not relying on AXFR, still decided to let you know.