Certificates denied for subdomain with error: "domain name contains too many subdomain labels indicative of recursive on-demand issuance"

In Blocking Some On-Demand Issuance Caused by Internet Scanning it was announced that

Over the next few weeks we'll be deploying heuristics to block requests that seem to indicate unrestricted On-Demand TLS; for instance, requests that contain identical sequential domain labels from a specific list. If you run into requests that are blocked but shouldn't be, please post in the Let's Encrypt Community Forum.

I've run into such an issue because we have a k8s cluster where cert-manager fails to issue a certificate for a domain pattern we've been using for years, apparently just because it contains two consecutive identical parts named "dev" or "test". The domains we've been using are for example of the form prometheus.dev.dev.<dept>.example.com and prometheus.test.test.<dept>.example.com (so that there can also be clusters using domains like prometheus.test-us.test.<dept>.example.com).

We can change our domain names but it sounds a bit silly. Perhaps the block can start from the third identical label?

An example error message is:

"failed to create Order resource due to bad request, marking Order as failed" err="400 urn:ietf:params:acme:error:rejectedIdentifier: Disallowed identifier requested :: Cannot issue for \"*.test.test.dept.example.com\": domain name contains too many subdomain labels indicative of recursive on-demand issuance" logger="cert-manager.controller" resource_name="wildcard-cert-public-1-4033448499" resource_namespace="envoy-gateway-system" resource_kind="Order" resource_version="v1"

I'm sorry that our heuristic filter has caught your legitimate domains.

However, changing our heuristics in the way you suggest would drastically reduce their efficacy. From very rough numbers, we'd be blocking double-digit percentages less spam, just to avoid this false positive for one subscriber.

We'd really love to eliminate this false positive, so we're working on other heuristics and filters that will be more precisely targeted. But I can't make any promises for how quickly we'll have those ready and can loosen the current filters.

Thanks for the answer. Too bad that our requests look so similar to so many spam requests. I appreciate that you have limited resources to deal with so many requests. Thanks for keeping Let's Encrypt running so smoothly!