[ddddddddq]

I just want some CA to offer cheap/affordable name constrained CA certs for domains I own. If I own `foo.com`, I should be able to get a cert that can sign certs for `foo.com,*.foo.com`.

Yes, yes, DANE, but it's not ubiquitous or even all that widely accepted.

[michaelbuckbee]

What aspects of a plain wildcard cert wouldn't work for that?

[duskwuff]

"Affordable". Most CAs charge exorbitant prices for wildcard certificates; 10x the price of a normal cert isn't unusual.

[ddddddddq]

By deploying the same certificate/key to every machine you really cut down on the 'private' part of the private key.