The note reads:

"All Gemini requests are TLS-encrypted, and authentication (both by servers and clients) is done using X.509 certificates. Unlike HTTPS, Gemini clients don't expect to authenticate server certificates via a CA-issued certificate chain. Instead, much like SSH, they use TOFU (Trust On First Use) authentication. This allows Gemini servers to either use CA-issued certs or (more commonly) just use self-signed certs. The biggest weakness in this security model is, of course, that if you experience a man-in-the-middle attack on your first visit to a new capsule, you'd never know. TOFU only protects you against sudden unexpected changes in the server certificate AFTER your first visit to the capsule. If I understand DANE correctly, it provides a mechanism for clients to authenticate a server certificate by checking its fingerprint against one that is co-published over DNS. That sounds like a clever, decentralized solution to TOFU's main weakness. I'm not aware of whether any Gemini clients support DANE yet though. If you know of any, please let me know. FYI, it looks like DANE is referenced as a potential added security option on top of TOFU in the official Gemini FAQ. Best of luck, and happy hacking!"

Official Gemini FAQ (see sections 4.5.5 and 4.5.6 for DANE references)