So, nothing really exists that does this as one product. You could maybe cobble together a few things to do something silimar, but not likely with things like iOS/Android as you're limited to what you can change (without jailbreaking/rooting etc).
If you want to protect the query from prying eyes between client and server, you can use things like DNSCrypt or DNS over TLS, but this doesn't address the concern that anyone can still query your domain.
DNSSEC only allows you to validate that the record is in-fact what is expected, but to my knowledge doesn't provide an authentication mechanism. It's goal is to sign DNS responses to indicate that the query hasn't been modified by some other entity after it was requested.
The problem with what you want to accomplish is that this isn't how DNS works. At a fundamental level, DNS is a form of a distributed service. When you configure a DNS server on your device (phone, tablet, PC, w/e) it will send all DNS queries to this box and expect a response. If this box knows what the value is, it will return it, if it doesn't, then it has to go to the next box in it's configuration and ask that box for the value; this process repeats until a response is found.
If you wanted to limit who can query your box, your best bet is firewall rules to control who can send a request to the system in the first place. This obviously isn't something that will work for mobile and dynamic clients.
What you're asking for, would like have to be a customized solution, or extension to something like DNS over TLS where authentication can be added. Maybe something like a client-certificate with a DNS over TLS connection can be used to prove the client is what you're expecting and then if that's correct, provide the DNS response. I don't think this is available with DNS over TLS now, but it seems feasible to add in.
What is your real goal here? When people ask such extremely specific questions like this one, it's because they have a goal in mind and think they've found a path to address it... often they're looking in the wrong direction for the answer.
UPDATE:
ssh'ing into my laptop based on just on a domain name would be nice
So we've already gone through why this isn't going to work with just DNS. If really want authenticated DNS, you'll have to build a custom solution as I'm not aware of anything that does this today.
In terms of accomplishing what you want (connecting to your machine despite dynamic IP's), I would look into services like TeamViewer where there is a remote server which is setup to accept a persistent connection from your client machine. This would allow you to connect to the service, then the service would be able to set up a 'tunnel' to the remote client. Another such service is things like LogMeIn.
These tools setup a persistent connection from the client to the service providers servers. This means that you can setup connections through most NAT/Firewalls since most networks don't block outbound traffic. From here, it doens't matter if your laptop were at home, or at the local coffee shop, you'd still be able to get to it.