MicrosoftFoobar? How is that different than existing dnssec?
Trusted name server, in the context of DNS , just means the zone is providing a key to prove it's authoritative to serve the records assigned to it (not spoofing a legit system)
From the perspective of this solution, a trusted DNS resolver is already running an encrypted connection (tls or https), using the existing certificate authority infrastructure for those services, but more importantly, the client is locked down to only use that server by DHCP/Microsoft configuration policies.
Locking down connections to only talk to systems documented in DNS goes back to the invention of TCP wrappers in the early 90s. The reason that solution wasn't practical is the lack of DNS hygiene in most networks, so I expect people will need to invest heavily on automation and management tools to run DNS properly if they expect to use this system as intended.
