[tialaramex]

For several years now, the Baseline Requirements set out a list of specific methods (the "Ten Blessed Methods") for how a CA may validate that the applicant is entitled to receive the certificate they've requested for a DNS name. It is not permissible for a CA to just do something else, even if there's an ACME feature that would enable it, unless it's listed as one of the Ten Blessed Methods (there are not in fact today ten of them) they mustn't use it for certificates in the Web PKI. In fact they're required to explicitly list which methods they use in their mandatory paperwork as a public CA.

To use a hypothetical automated DNS/HTTP hybrid, you would need to do all of (possibly proceeding in parallel) the following:

* Write up technically how it works. You likely want a complete ACME challenge method through the IETF process (ie you're writing an RFC probably with the ACME working group)

* Get both groups at CA/B (the public Certificate Authorities, and the Browser vendors) to vote in favour of a change adding this new method to the Ten Blessed Methods (section 3.2.2.4) with a condition allowing wildcards.

* Get at least one publicly trusted CA to actually offer your new method to subscribers for wildcard certificates.

This isn't at all impossible, but any two of those alone aren't enough to make it happen, you need all three. Personally I don't think this hybrid seems safe, and so I wouldn't support it, but I don't decide any of this.