[air7]

Something is missing here: HTTPS links and SSL. Either website.com hands over its certificate to dnsdelegation.io (which is unlikely and definitely not a 2 min trust-less process) or dnsdelegation.io has the ability to generate any certificate like a certificate authority which is really terrible (and also unlikely).

[poitrus]

With ACME enabled CAs like letsencrypt, having a domain pointing to an IP you control is all you need to obtain a valid certificate.

[hiciu]

DV certificate (cheapest, most common one) does require only proof of control over the domain.

So dnsdelegation.io can just request certificate for the domain you've delegated via cname from any CA.

[sildur]

They are (ab)using let’s encrypt.