You really want to integrate this with the DHCP response (though that's also not authenticated in any way). The problem with
A good first step would be for the DHCP response to include a root cert that can be used only for things on the current network. Ideally, you probably also want something integrated with mDNS so that devices that publish their names via mDNS can also publish their cert via the same mechanism and have other parties automatically reject names if the signing cert changes. Neither of these mechanisms is very secure, but they both probably better than nothing - at least they give you reasonable protection against passive eavesdroppers.