Feature request: Token policies for subtrees

[s-hamann]

I would like to automate DKIM key rotation and create a suitably restricted token for this purpose, i.e. allow writing TXT records under any subname like <selector>._domainkey but nothing else. Unfortunately, token policies currently do not allow that.

Setting a policy for subname _domainkey does not allow writing to its "children".
Setting a policy for *._domainkey only allows writing the wildcard record.
Setting a policy for every selector I need in advance would work but is infeasible (DKIM selectors are commonly dates or random strings).
Setting a policy without a subname works, but obviously also allows writing unrelated TXT records (e.g. DMARC policy, SPF, site verifications, ACME and whatnot). I can block some other subnames with additional policies, but that seems error-prone.

I'd be great if token policies could be extended to have a "and children"-bit. That way I could set up a policy that allows writing to _domainkey "and children".
Given the hierarchical structure of DNS, I believe this might have sensible applications beside DKIM key rotation.

[s-hamann]

A closely related use case would be to have a token restricted to ACME challenges only. As they are located at _acme-challenge.<subname>, the "and children"-bit would not help here.
Maybe there is a better solution that fits both use cases?