Here's [0] the relevant section of the X.509 RFC (Name Constraints). Unfortunately, last time this was discussed on HN, someone mentioned that Name Constraints are not supported by all client software, making it unsafe to rely on them.

[0] http://tools.ietf.org/html/rfc5280#section-4.2.1.10