Security: Detect, correct, and prevent lame delegations

[PaulKuykendall]

Issue Description

Research and develop a strategy to prevent "lame delegation," and other domain hijacking techniques.

"...a lame delegation occurs when a nameserver responsible for a domain is unable to provide authoritative information to translate human readable domain names to IP addresses." (source)

This is a potential performance and security risk. Lame queries, those for which the nameserver is not authoritative, result in recursing resolvers until an authoritative nameserver is found. This impacts performance. More seriously, lame delegations may make a domain vulnerable to hijacking, for example when a domain is deleted or expired.

AC:

• [ ] A suitable strategy is established
• [ ] Issues created to implement the strategy
• [ ] Operational requirements, as necessary, are documented for implementation

Additional Context (optional)

Additional reading for research:

• Risky BIZness: Risks Derived from Registrar Name Management - UCSD Paper
• The prevalence, persistence, and perils of lame delegations
• Lame delegation test, APNIC

Issue Links

Related to #1036

[vickyszuchin]

Accepted into the backlog.

[Katherine-Osos]

@PaulKuykendall @katypies Is this dev discovery? If so, can we add the "Dev" label to help differentiate it?

[PaulKuykendall]

I have added this to the DNS hosting milestone, so that we keep track of it there. We can break it into a different milestone within that feature, sometime in the future, if we feel it's necessary. I've added the Dev and refinement labels and will notify @abroddrick for visibility.

[katypies]

Noting that I added a feature label for DNS-related issues. This is something that's broader than the scope of us hosting DNS, so I think we should tackle it as part of a milestone separate from DNS hosting (quite possibly we need to do a collection of security and NS-related issues for domains that don't end up pointing to our NS).