Hi @scifibob,
As I discussed in another thread, I think the CA folks may believe that giving certificate applicants too much control over the validation process is a security risk because it facilitates attacks.
For example, if I’m an attacker who can perform a routing attack on an IPv4 network but not on an IPv6 network, if the CA lets me say to ignore the existence of the IPv6 network for validation purposes, then I can take advantage of my attack to get a misissued cert, even though I might not have been able to do this otherwise. After all, the whole point of the DV process is that we don’t know at the outset that the people who are requesting certificates for a site are, in fact, the operators of that site, so we should not easily believe things that they tell us about how the site “really” works or how it wants to be validated using something other than what it’s said in DNS.
(However, this security concern might be addressed by allowing a DNS record that makes this request rather than an ACME protocol feature.)