An alternative to host keys would be to use host certificates instead of keys. It's (a lot) more work to set up, but allows for flexible central management of authentication, plus also eliminates this issue with the known_hosts files.

Disclosure: I work at the company that created Teleport.

Teleport [0] should hopefully make it easier to use certificates.

An alternative implementation is Netflix’s Bless [1].

[0] https://github.com/gravitational/teleport

[1] https://github.com/Netflix/bless