"So a man in the middle could prevent updates from happening, and freshclam wouldn't even throw a warning?"
And yet it "works" and as the OP mentioned for a long time. Often we get so conditioned to a security response we forget that basic security often relies upon a "simple" and inexpensive solution. Using DNS in this way is a best effort scenario that offloads work to servers designed for this purpose and for an open source project so you use what you have.
Oh, and there is a failover to https if the record is over three hours old.
And yet it "works" and as the OP mentioned for a long time. Often we get so conditioned to a security response we forget that basic security often relies upon a "simple" and inexpensive solution. Using DNS in this way is a best effort scenario that offloads work to servers designed for this purpose and for an open source project so you use what you have.
Oh, and there is a failover to https if the record is over three hours old.
https://docs.clamav.net/faq/faq-troubleshoot.html