[TonyTrapp]

I shared the same sentiment for a while, but then I thought about it a bit more. How would you implement a HTTP-based validation that really proves that you have control over all subdomains? You might think that you just have to extend the existing validation method to pick a random subdomain, but that won't work:

1. For many domains, you cannot just pick any random subdomain and expect that you can reach a server there.

2. For services where users share the same domain (e.g. *.github.io), proving ownership of a single random subdomain won't be enough, because you could just create that domain as a response to the ACME challenge. But that doesn't prove that you have complete ownership over github.io.

I cannot come up with any HTTP-based validation scheme that would prove ownership of all subdomains for a domain.