How could you validate wildcards
without changing DNS?
The same way you validate ownership of a subdomain: By putting stuff into the well-known path. Only that you
do it for the root domain. I don't know any case where
someone has control over the root domain but is not
eligible for a wildcard cert.
This loose allowance is going away. Current BRs allow using 3.2.2.4.18 and 3.2.2.4.19 (Agreed upon change to Website) for wildcards until December 2021. After that:
> For Certificates issued on or after 2021‐12‐01, the CA MUST NOT issue Certificates for other FQDNs that end with all the labels of the validated FQDN unless the CA performs a separate validation for that FQDN using an authorized method. This method is NOT suitable for validating Wildcard Domain Names.
Let's Encrypt are just ahead of the curve here, this was always unsafe because it means if your corporate site https://big-corp.example/ is on some bulk host that bulk host can get (even though presumably they wouldn't) wildcard certificates that will also match mail.big-corp.example and db2.big-corp.example and auth.big-corp.example and vpn.big-corp.example ...
> I don't know any case where someone has control over the root domain but is not eligible for a wildcard cert.
Companies very very often point their root domain at a hosting company for their marketing site; let's use Netlify as an example.
This does NOT mean that I would expect Netlify to be able to issue wildcard certs for my domain.
Basic "www-izer" (redirection) services are another example where the root domain is pointed somewhere that should not be able to issue wildcard certs.
