Having control over the HTTP response for the root domain but not being authorized to have SSL certificates over subdomains is already a veriry dubious concern, but if you are that worried you could define a fixed DNS record saying that for this particular domain ownership verification of the main domain translates to all subdomains.
> Having control over the HTTP response for the root domain but not being authorized to have SSL certificates over subdomains is already a veriry dubious concern
What about marketing/static hosting sites like Netlify/Vercel/etc? I can point my domain there. That does not mean they should be authorized to have wildcard certs over the whole domain.
No, they work by being able to issue a cert for the specific domain that is pointed at them.
It does not work by allowing them to issue a wildcard cert for the entire domain.
For example, `nrmitchi.com` is pointed at Netlify. Netlify can obtain a certificate for `nrmitchi.com` (and `www.nrmitchi.com`, which is also pointed at them). It does not allow Netlify to obtain a cert for `*.nrmitchi.com`, nor should it.
Technically today it does allow them to get such a certificate, but they choose not to (and Let's Encrypt has never allowed this because it's unsafe). Ballot SC45 for the Baseline Requirements this year fixed that so that from December they will not be able to get a wildcard certificate based on proving control over the parent domain.
CDNs are a bad example, because they usually deal with DNS as well. They usually want to send different replies in different regions, etc. CloudFlare is the only one I used, but I know you can't set it up before you switch to their name servers.
However say you host your root-name website on GitHub pages or similar. You don't want them to have full DNS control over the rest of your zone (emails, app, etc).
