[dane-pgp]

Thanks for the response!

It would be great if SkyDroid indicated to the user whether they were trusting the root servers or just the server providing the DNS (with no DNSSEC), but I suppose most users wouldn't be able to make practical use of that information.

I don't know what the security assumptions of Handshake domain lookups are. Does the client have to download the whole blockchain, or is there some lightweight proof that the client can receive from one semi-trusted entity, which is immune to replay attacks?

The idea of asking 10 different DNS-over-HTTPS servers for the same result is an excellent hack, as long as there is a careful balance between availability and integrity (i.e. a couple of colluding bad servers can't stop a quorum of good servers from providing a consensus answer).