To protect DNS users from sniffing (see RFC 7626), it would be good if BIND enabled RFC 7858, like Unbound does. (This is for the resolver, although encryption when talking to a forwarded would be nice, too.)
