There are a bunch of awkward constraints and trade-offs that make it difficult to do DNS-over-TLS to authoritative servers. I have some work in progress trying to write a reasonably comprehensive analysis of how to go about it (I have been waiting years for someone else to and finally lost patience...)