You publish on an unsecure channel(DNS) the public key.
Then, after the resolver gets the key, everything is safe. But getting the key might not be safe at all.
DNSCrypt has been out a couple of years but does not yet have a standard RFC and is not used by the dns root servers.
Or did I miss something in the chain of trust?
https://datatracker.ietf.org/doc/draft-denis-dprive-dnscrypt...
It's not used by DNS root servers because it's designed to secure communications between clients and caches, not between caches and authoritative servers.
You publish on an unsecure channel(DNS) the public key.
Then, after the resolver gets the key, everything is safe. But getting the key might not be safe at all.
DNSCrypt has been out a couple of years but does not yet have a standard RFC and is not used by the dns root servers.
Or did I miss something in the chain of trust?