OpenSSL by default ignores many (/all?) extensions for security. You can still manually add the nameConstraints when signing the CA cert.
https://security.stackexchange.com/a/150175