I think these concepts prevent generalized delegation:
In DNS...
- Only a single wildcard can be specified in a domain name
- A wildcard must be the leftmost label (before the first dot) of a domain name
- A wildcard only matches for a single label, not every sublabel
- A wildcard in a source domain name is only used for matching (i.e. there isn't some kind of regex substitution going on from source to sink)
- A DNAME provides a kind of exception to the above, but it operates en masse and is very rarely used (or useful)