When we do DNSSEC, write a proposal for cross-verification
I think we should cross verify entries in the cache - if one exit or upstream somehow has the ability to forge a sig for an entry, torproject.org. (by owning us and taking our DNSSEC keys), we should do something smart.
We will have to deal with updates to DNS records and also stolen keys that are able to properly sign a new DNS records.
We'll also need to deal with GeoIP giving different answers to different exits, etc.