The ability exists. Such constraints aren't used very often for root certificates though, as far as I can tell. The Japanese Government CA which was mentioned in the discussions around TrustCor was constrained to .go.jp.
It needs to be supported in the clients, both browsers and libraries. I'm actually mad that scope restrictions are not more commonly used, and that tooling is absurdly complicated.
It would be useful for internal CAs too, because they could be trusted for only a specific subdomain, eg *.intranet.acme.com.
It would be useful for internal CAs too, because they could be trusted for only a specific subdomain, eg *.intranet.acme.com.