Why are we not simply putting file hashes into DNS and validating with DNSSEC?
It is out-of-band wrt the browser and validated using the DNSSEC "PKI".
A simple extension/script in the browser/desktop could do the DNSSEC validation of the downloaded file hash on the fly so as to be invisible to the end user.
For example:
1. download https://www.ends2ends.com/es2es.exe
2. compute hash: "openssl dgst -sha256 es2es.exe" 
             or  "certutil -hashfile es2es.exe sha256"
3. get dnssec validated hash: "dig +dnssec TXT es2es.exe.ends2ends.com"
4. Compare hashes
5. Accept/reject
IP: -