This is very interesting work. I wish there was an easy way to see DNSSEC statistics for each ccTLD side-by-side with the fingerprint report.
they have their own, centralized registrar, and they use proper tlds such as gov, jus (justice) etc with their own tls system (which sometimes update faster than browsers can keep up so you have to add root signatures manually to your systems)
so far, all points to the bank falling for a scam and releasing credentials to nic.br
Note that it's not going to flag many of the censorship apparatus, because they will inject replies only for queries matching their denied patterns.
Reversing that list in a useful way remains tricky, to say the least.
Instead, it's better to report the total and suspicious numbers, and take the percentages with a grain of salt on low total probes.
My understanding was that they did the same queries from as many network locations as possible, and looked for unexpected results.
Querying more known public dns IPs would provide better confidence that a given probe was attached to a network that hijacked DNS, but still wouldn't tell you very much about the internet in a country with a low probe count.
If I remember correctly, when submitting jobs to run on the network, N numbers of nodes are selected randomly.
RIPE has the biggest concentration of probes in the EU and then US.