investigate kreb's advice on DNS hijacking

After reviewing this article about recent DNS hijacking incidents, I think it might be worth reviewing the recommendations given in the article, which are basically:

1. use DNSSEC
2. Use registration features like Registry Lock that can help protect domain names records from being changed
3. Use access control lists for applications, Internet traffic and monitoring
4. Use 2-factor authentication, and require it to be used by all relevant users and subcontractors
5. In cases where passwords are used, pick unique passwords and consider password managers
6. Review accounts with registrars and other providers
7. Monitor certificates by monitoring, for example, Certificate Transparency Logs (#40677)

Some of those are impractical: for example 2FA will not work for us if we have one shared account with a provider.

Others have already been done: we have a good DNSSEC deployment and manage passwords properly.

Mainly, I'm curious about investigating Registry lock and CT logs monitoring, the latter which could be added as a Nagios thing, maybe.

added component::internal services/tor sysadmin team in Legacy / Trac owner::tpa in Legacy / Trac priority::low in Legacy / Trac severity::major in Legacy / Trac status::new in Legacy / Trac type::task in Legacy / Trac labels

moved from legacy/trac#33062 (moved)

added Task label and removed 1 deleted label

added Sysadmin label and removed 1 deleted label

added Icebox label

changed the description

marked this issue as related to #40677

added DNS label

mentioned in issue tpo/onion-services/onion-support#116 (closed)