@feld I wanted to build a DNS resolver with CCF (distributed key-value store that ran in SGX enclaves and other TEEs). The clients would be able to get a remote attestation that they were connected to a server that ran a specific version of the server code. The network would be able to send queries to authoritative servers from any node, maintain an internal cache, and do spurious lookups to make it hard to attack with traffic analysis.
I think this would meet the requirements for DNS encryption.