I faced this problem in Omnibroker.
One answer is that DNS is an infrastructure for resolving Internet labels to Internet resources including IP addresses. It is thus the only Internet infrastructure where infrastructure providers may reasonably be expected to maintain long term IP addresses by nature of their function.
So in omnibroker, the idea is that it is a protocol to replace the communication between a client and a recursive resolver. This allows the addition of security features that are essential in the client-resolver loop that the DNS protocol does not provide and it is pointless to attempt to add.
For example, mutual authentication. If the DNS resolver is going to do recursive resolution and DNSSEC validation then it had better validate the clients from which it accepts queries or it will get DoS attacked very quickly.
To support the mutual auth between the omnibroker client and service I establish a context that consists of a set of services which each specify an IP address, port and shared secret.
This means that it is very easy to support an authenticated 'time check' protocol. For cryptographic purposes we don't particularly care about the clocks being synchronized to better than a minute.