Configuring ssh fingerprints on dns to replace known_hosts fails
Apparently my issues were caused by two different problems.
Issue #1 SSHFP does not support using search paths. So if you add "domain example.com" to /etc/resolv.conf then you would expect ssh myhost to work with SSHFP since regular ssh will correctly resolve the name to myhost.example.com. Apparently the OpenBSD devs are aware of the issue since a patch was issued 2 years ago but it was never applied. Instead an ssh_config hack was suggested but that doesn't appear to work either. So the solution to the first issue is that FQDN must always be used with SSHFP.
Issue #2 Using FQDNs to solve the previous issue, everything works if I use the current version of the OpenSSH client which is OpenSSH_6.1. The OpenSSH_5.8p2 client on my FreeBSD system is able find the SSHFP records for a new OpenSSH_6.1 server, but it is unable to match the fingerprint it receives from DNS with the one it receives from the server. The OpenSSH_5.9p1 client on my OS X 10.8.2 machine is unable to even retrieve the SSHFP records for a new OpenSSH_6.1 server despite being a never version of the client than the FreeBSD machine. Obviously it is unable to match the non-existant SSHFP records with the fingerprint returned by the OpenSSH server. Lastly, ssh-keygen on the FreeBSD box produces bad SSHFP records according to the OpenSSH_6.1 clients which complain about a MITM attack since they don't match the fingerprint returned by the server. The solution appears to be that you must run the current version of both OpenSSH client and server for SSHFP to work. Using an older version of either the client or the server is asking for trouble.
Final Thoughts Using SSHFP with DNS is apparently too cutting edge to be used in a mixed OS environment and have everything "just work" since the non-OpenBSD OS's have to port OpenSSH portable which is out of date by the time it is ported. Perhaps in 3-5yrs, SSHFP will be stable enough that even the older versions which are ported to other OSs will also be stable and compatible with the latest version.