OK, that’s different from my understanding of your first statement. Thanks for the clarification.
As to why it’s done the way it is - as far as I’m aware it’s all down to the guidelines / requirements by the Domain Validation Working Group of the CA/B Forum.
not really. I got certs on StartSSL and they just want me to validate the domain using whois/admin-mail adress and I can cert all the subdomains I want.
I think it’s similar for other CAs I mean how do you do checks for a wildcard cert?
All the CAs I used so far requested me to place the DNS record in the root of the zone, regardless the hostname was for example www or not-www.
I was quite surprised that LE forced me one DNS record per hostname, but honestly I think it’s reasonable. From an implementation POV, it makes the challenge verification easier as you don’t have to determine what is the root zone and you can simply assume the presence of _acme-challenge. regardless the type of hostname involved.
my Idea would be not exactly checking what the root zone is, but rather walking along until you reach a PSL domain and if any _acme-challenge matches, take it.
that way a domains which has different servers on certain subs can use the main domain for one account which has access to all subs but also can use subs on another account (server)
The PSL also contains wildcards and exceptions, not only domain lists. Moreover, there are domains that are actually not in the PSL (for one reason or another, as the PSL rule is that if nothing match, you should use "*".
That would be doable, but not trivial.
yeah I know that stuff, i lol’ed at the extremelong long list of the .jp part and checked how the rules work coz of that.
also I dont mean a domain that is “listed” on the PSL but matches the list as public suffix.
lets’s say we want a cert for foo.bar.test.com
first it looks for a challenge in foo.bar.test.com (direct check)
if no match go up in the domain if we have a match mark as completed.
then we have bar.test.com
same procedure
now we have test.abc.zm
and now we have a stop because abc.zm matches *.zm on the PSL without any exceptions.
Yeah, and unfortunately that's not the only one. The .IT is quite insane as well. 
updated previous post with an example of how I imagine “DNS-walking” for the challenge
also jp is worse. it seems quite a bit longer AND it has IDNs AND wildcards AND exceptions…
A gentle reminder that the conversation about whether the DNS challenge walk parent domains is off-topic for this announcement thread. I’m going to close out this thread, because the DNS challenge has long since moved to prod, but I would encourage you to continue the conversation in a new thread! You can use the “Reply as linked topic” feature to help maintain context.