How to create a dns allow policy that can use sub-sub domains?

[akumar-xyz]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to document this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Affected area/feature

When configuring CA issuance policy, how to allow all sub-sub domains i.e. wildcard that expands to multiple labels?

For clarity:

1. *.acme.com
   • MATCHES xyz.acme.com
   • NOT MATCH xyz.cloud.acme.com
2. *.*.acme.com - NOT ALLOWED (cannot parse permitted URI domain constraint "*.*.acme.com": URI domain constraint "*.*.acme.com" can only have wildcard as starting character)
3. .acme.com - NOT ALLOWED (cannot parse permitted domain constraint ".acme.com": domain constraint ".acme.com" with wildcard should start with *)

I also tried 3 because RFC5280 states:

When the constraint begins with a period, it MAY be
expanded with one or more labels. That is, the constraint
".example.com" is satisfied by both host.example.com and
my.host.example.com. However, the constraint ".example.com" is not
satisfied by "example.com".

As far as I can tell, the matching rules are more similar to RFC2818 which would mean what I'm trying to do is not possible.

Is it possible to match for all sub-sub domains with just one rule? Something like **.acme.com?
Is the only solution to maintain a list of subdomains as well?