The UX for ToFU depends on the use model. For DHCP, the use model I would expect to be most common would be "if I have a choice between a server I talked to before that worked, and a server whose claimed identity can't be checked either because no authentication or because never seen before, pick the one I've seen before that worked." So it would be interesting to answer the question, does this make things worse or better in practice? I think better, but I'm curious to see what sort of opprobrium will rain down on me for putting forth that theory. :)