Here is my reply to Joe
Your solution is good. In general, anyone worried about this kind of invasion of privacy should arrange to run their own root servers. The more the merrier. This is not neccessarily about having multiple roots with colliding TLDs, but about security from surveillance.
A better solution would be to turn off recursion, this _may_ lead to partitioning away from the rest of the internet, just as running a local root may lead to partitioning away. The benefit, of course, is that you don't worry about someone tapping into any sub-domain dns server. Slightly better than that is to disconnect from the network entirely. This will help prevent someone from eavesdropping on other protocols as well. Again, this may lead to partitioning away from the rest of the network.