oh and i forgot to mention since these fetches do not use tsig or dnssec for zone content validation, a routing-layer MiTM attack could insert new TLDs for millions of users