Maybe once CAA extension is implemented: draft-ietf-acme-caa-05
If issuewild specify:
issuewild "letsencrypt.org; validationmethods=http-01"
they may consider they have the legitimate authorization to do it? (That way, the DNS entry doesn't need to be dynamic)