Continuing the discussion from DNS challenge is in staging:
I actually started this for DNS because that was the topic there but I thought about this in a greater way.
my Idea is that subdomain should NOT require re-challenge if you are already authorised for something above (that doesnt match the PSL)
especially coz LE keeps you 10 months authorised after getting a challenge this can be really helpful especially when handling a large SAN cert which contains a lot of subs.
lets’s say we want a cert for foo.bar.test.abc.zm
first it looks for a authorisation for foo.bar.test.abc.zm (direct check)
if no match go up in the domain if it was already authorised, mark as completed.
then we have bar.test.abc.zm
now we have test.abc.zm
and now we have a stop because abc.zm (the next step) matches *.zm on the PSL without any exceptions.
so in that case if you had any of the upper levels already approved that you dont need a lower level challenge.