DNS-over-TLS offered to clients; questions

[Phil Pennock]

Folks,

Configuring DNS-over-TLS to be offered to clients was easy with Unbound;
I'm running with ECC TLS from my private CA, and
https://github.com/bortzmeyer/monitor-dns-over-tls lets me confirm that
service is working, with a monitoring plugin no less!

Skimming RFC 7858, it appears that: (1) port 853 is mandated for an
opportunistic discovery mode, where clients just try it and see if it
works, without any signalling; (2) pinning is supposed to be available,
but there's no wire protocol way of signalling pins, whether via DHCP or
anything else; (3) certificate verification is _entirely_ chain
verification, no identity verification.

Is 3 correct?  No hostname or other identifier validation at all, so a
stolen cert from elsewhere issued by a trusted CA can then impersonate
DNS?  Anyone know if there are any moves to, eg, look for an IP address
in the SAN field?

Any conveying signalling of pins by some means?

Thanks,
-Phil