> There's nothing about DoH that makes it complicated to speak it to an authority server.

There’s a problem with HTTPS, though. HTTPS uses URLs that use WebPKI to tie the URL to the certificate validation algorithm. Which means you need WebPKI certificates, which needs DNS. Chicken, meet egg.

Maybe there could be a new URL scheme that doesn’t need WebPKI. It could be spelled like:

    https_explicit:[key material]//host.name/path

or maybe something slightly crazy and even somewhat backwards compatible if the CA/browser people wouldn’t blow a fuse:

    https://1.2.3.4.ipv4.[key material].explicit_key.net

explicit_key.net would be some appropriate reserved domain, and some neutral party (ICANN?) could actually register it, expose the appropriate A records and, using a trusted and name-constrained intermediate CA, issue actual certificates that allow existing browsers to validate the key material in the domain name.