[raulk]

Careful. Pointing your A record to a third party allows that party to use HPKP [1] with a long expiry period and never give you the key, potentially nuking the domain (for anyone who has visited it before you sell it).

[1] https://en.m.wikipedia.org/wiki/HTTP_Public_Key_Pinning

[DaiPlusPlus]

This is a pretty serious attack - is there really no way to mitigate it? An arbitrary HTTP header is pretty low on the totem-pole of trust, so why don't they periodically check DNS records for corroboration?