The major problem with this is that the IETF validation working group hasn't come up with a definite procedure for deciding what the apex of a domain is, and how to validate control over all subdomains above it yet.
To make the original comment more precise, should not proving ownership of:
<some domain>
be enough to imply ownership of anything under that? i.e., DNS is a hierarchy — right? At the top level (a bit closer to how the original comment phrased it, I'd say that proving ownership of,
<some domain>.<some public suffix>
should prove ownership of all domains under that. To address the specific case of "co.uk", anyone in control of a public suffix[1] should just fail the check (i.e., owning a public suffix does not imply ownership of all subdomains, which I think is correct). Someone with better knowledge of the innards of DNS would have to speak to if the Public Suffix List is good enough here.
Really, why can't I be a mini-CA for my own domain, with only the power to issue certs for the set of domains I actually have control over? (essentially, why can't I get a nameConstraint CA cert?)
[1]: The Public Suffix list is a list of what a human might call a "tld, essentially"; "com" is a public suffix, but so is "co.uk": https://publicsuffix.org
That's definitely what I was thinking of, but it's not entirely suitable as a list of domains not to issue certificates for, unless you're happy to accept you won't be issuing certificates for domains like blogspot.com or flynn.io.