Every service you onboard wants proof you control your domain. Most want your DNS credentials to automate that proof. There’s a better approach: CNAME delegation lets you authorize a service once without handing over the keys to your entire zone.
A new ACME validation standard coming in 2026 lets you authorize a CA once and never touch DNS again for renewals. The security model is defensible, but even its supporters admit the optics are questionable.
You’ve been using wildcard certificates for years because they were simpler. One cert, one renewal, copy it everywhere. But now you’re automating anyway. If certificate management is no longer painful, do you still need wildcards? Or are they solving a problem that no longer exists?