Do we support DNSSEC? Without it, this is fairly useless and would possibly introduce securitah holes.
No, the uwaterloo.ca zone is not signed (neither is ca, for that matter). I don't see how adding this introduces security holes, though. This just provides another way for OpenSSH to check the fingerprint. If someone compromises DNS traffic (through a man-in-the-middle attack or otherwise), I think we're no worse off than where we are without SSHFP records.