TLS you cannot provide a proof for (it’s asymmetric in the cert but used to derive symmetric keys, so you can forge a transcript). DNS is not, so like you say you can avoid all the complexity, and a totally untrusted device can provide a proof to a totally offline device (eg a hardware wallet).