[sadpluto]

How can DANE ever work if DNS (including DNSSEC) is an unencrypted protocol? Doesn't this mean that the moment you get a response to a DNS query the a malicious network could return orchestrated nonsense?

It looks like something like DNSCurve [1] would be needed, though Paul Vixie stated [2]:

  [...] the problems DNSCurve actually does solve are pretty well solved by UDP source port randomization and will be entirely eradicated by DNSSEC [...]

How does it solve the encryption problem?

[1] http://dnscurve.org/

[2] http://www.isc.org/community/blog/201002/whither-dnscurve