Hierarchical Identifiers

It would be great if identifier validation could be considered hierarchical. For instance, let’s say I have a multi-tenant application (one customer per subdomain) at foo.com

I need to dynamically provision a new cert for each signed up customer at custname.foo.com which, if I have to generate an identifier and complete the challenge for each one is fairly complex. However, if verifying my ownership of the apex domain allowed me to automatically verify subdomains, I would only need to do the challenge once and could make a single call to mint certs for each subsequent subdomain I need to provision.

Similar question i already had when i asked why not allow people who prove to own apex.com to act as ca for mail accounts under that domain.
Even if you can successfully get any cert by change the DNS of you domain i think because of dyn dns domains
they will not provide such an feature.

The method is as strong as the weakest link. I seriously doubt domain holders will uphold as strict security and audits as the current CAs in general.