Here's [0] the relevant section of the X.509 RFC (Name Constraints). Unfortunately, last time this was discussed on HN, someone mentioned that Name Constraints are not supported by all client software, making it unsafe to rely on them.
I'd imagine (based on very superficial knowledge) that DANE would achieve something to that effect. But it's pretty much dead because apparently DNSSEC wasn't all that great.
[0] http://tools.ietf.org/html/rfc5280#section-4.2.1.10