@feld @sun has this ever been used or supported by anything?
Maybe this has changed by now, but a very long time ago I was looking into creating a CA with Name Constraints for opennic.org domains, and at the time virtually no browsers or SSL implementations recognized Name Constraints at all 😔