barwen.ch DNS is signed using DNSSEC, with a trusted path all the way from the root zone. The name server running on s0.barwen.ch is also configured to be a secure resolver. However, at the moment, applications running on s0 do not use that resolver because of uncertainties on how it will interact with Amazon’s EC2-internal resolvers.
SSHFP records are available for s0.barwen.ch, so that your ssh client can automatically verify the SSH host key fingerprint (that question that you always answer ‘yes’ to without checking…)