Always determine authoritative NS from root

[tazjin]

When validating updated DNS records the controller currently determines the authoritative nameservers for the zone via the DNS servers configured in the OS.

In case of something like a split-brain DNS setup with a public & private zone in Route53, the user could end up in a situation where the host running the controller is configured to resolve records from the private zone. In this case updates in the public zone will never become visible to the controller and the validation will fail.

Let's Encrypt always validates challenges starting from the root nameservers. To ensure that we actually go through the same path the controller should do the same thing.

---

See the discussion at the end of #61 for more information.