It almost doesn't matter, because it seems to need DNS over HTTPS, the standard way for that will be to host it from the same server that already serves your HTTP traffic anyway (I swear there was an httpd module that already served DNS because it knew the configured IPs and VHost names), and the certificate for that will be secured by :shuffles paper: look, a three-headed monkey!
Seriously, I don't think this will fly. Short-lived keys don't work well with caching. Rotating and publishing keys automatically is surprisingly hard (Thunderbird update servers failed their Let'sEncrypt two or three times in a row, they only noticed after the in-production cert expired; dnssec-tools.org ran with expired certs for months). Standards like HPKP died (removed in Chrome) before born (adopted in Edge) because deploying them safely requires a bit of thinking.
There is a current trend to shift everything to DNS records because people believe it's miraculously safe there. However, this is probably only true because it serves a fairly narrow purpose. Once every net service you offer needs access to an automated interface to set DNS records, these servers will be just as vulnerable, if not more so, as web servers.
Interesting reading: https://blog.powerdns.com/2018/03/22/the-dns-camel-or-the-rise-in-dns-complexit/