I agree that for many use cases, rate limits should be increased for some domain, but that domain isn’t necessarily a public suffix as such. We’re definitely trying to figure out better ways to divide up rate limits in a way that makes sense, and reduces excess burden on the PSL maintainers. Note that most of the requests we’ve gotten, e.g. for FreeDNS, do properly belong on the PSL, since different subdomains belong to different people. That means cookies are settable and gettable between different subdomains. However, I agree that the demand for certificates, combined with our use of the PSL, has turned up a huge number of such domains, possibly more than can reasonably be handled in a static list. I do hope the DBOUND WG produces a more scalable solution.
In the meantime, we’ll be working on tweaks to our rate limiting to reduce the issue and make it easier to get a cert. For those who asked: The limiting factor in this case is signing capacity for OCSP responses, which we sign for each extant certificate every three days.