If Anchor uses a CA with NameConstraints extension that specifies it's valid for ".example.com", then it should sign "name.example.com", but refuse "name.example.net". The ".net" certificate wouldn't be valid anyway, so this should be independent of what the user-defined validators say.
If Anchor uses a CA with NameConstraints extension that specifies it's valid for ".example.com", then it should sign "name.example.com", but refuse "name.example.net". The ".net" certificate wouldn't be valid anyway, so this should be independent of what the user-defined validators say.