Feature Request: Support private TLDs

[peterthomassen]

When a TLD is hosted by deSEC, anyone can register a second-level domain (even without the domain owner's consent). This is because TLDs qualify as public suffixes, and our covered-by-foreign-zone check stops at the next public suffix.

The problem can be alleviated by changing the admission check such that registration is not allowed if the public suffix is owner by another deSEC user (by including the public suffix in the private_domains list). This way, the TLD owner will be able to control registrations.

However, this would conflict with our dedyn.io public suffix. Resolution is unclear.

[nils-wisiol]

I suggest the following behavior:

.	public suffix hosted at deSEC	public suffix hosted elsewhere
public suffix is declared 'local'	open for registration	undefined [1]
public suffix is not declared 'local'	closed for registration	open for registration

'public suffix' refers to the public suffix of the domain in question.

[1] what behavior do we want here? I think currently it errors as the autodelegation fails