investigate kreb's advice on DNS hijacking

After reviewing this article about recent DNS hijacking incidents, I think it might be worth reviewing the recommendations given in the article, which are basically:

1. use DNSSEC
2. Use registration features like Registry Lock that can help protect domain names records from being changed
3. Use access control lists for applications, Internet traffic and monitoring
4. Use 2-factor authentication, and require it to be used by all relevant users and subcontractors
5. In cases where passwords are used, pick unique passwords and consider password managers
6. Review accounts with registrars and other providers
7. Monitor certificates by monitoring, for example, Certificate Transparency Logs

Some of those are impractical: for example 2FA will not work for us if we have one shared account with a provider.

Others have already been done: we have a good DNSSEC deployment and manage passwords properly.

Mainly, I'm curious about investigating Registry lock and CT logs monitoring, the latter which could be added as a Nagios thing, maybe.