[tryauuum]

when I said privacy I was had NSEC3 in mind. To be honest I have no idea how does it work / why is it a thing but it looks like it obfuscates (deleted?) subdomains to make it harder to enumerate them. This is why you see stuff like

    15bg9l6359f5ch23e34ddua6n1rihl9h.example.org

in zone file

[tptacek]

Right. That doesn't really work: you can crack them like a 1990s password file, which is why there's whitelies (online-signer chaff records) to defeat that attack. Either way: it's not really what people think about when they think "privacy". It's generally the position of the architects of DNSSEC that domain names simply aren't private at all. Meanwhile: actual DNS privacy, of what domains you're visiting with your browser, is provided by DoH, not DNSSEC.