> couldn't believe that people would be crazy enough to try to keep their DNS records secret

You'd hope people working on DNS would have had broader actual experience with it. There was an ironic lack of paranoia in the DNSSEC people and they seemed overly focused on one peculiar problem, which is, it's easy to spoof DNS responses when you typically only have at most 2**16 - 1024 ports to choose from. They sort of ignored everything else.

> If by "resolvers" you mean "local resolution-only servers", then that's common, but arguably bad, practice.

I haven't kept pace with DNSSEC, but originally, this was the _recommended_ configuration. Has that changed?

> Anyway, using TCP also neuters DNS as a DoS amplifier,

We're ensuring all servers support TCP, but we're not anywhere near dropping UDP.