Vault pki role allow_subdomains=false

Hello,

What is the usage of allow_subdomains=false
in role vault write pki/roles/cud allowed_domains=cud.local allow_subdomains=false

as I cannot generate certificate for a host in this domain

vault write pki/issue/cud common_name=test.foo.com
Error writing data to pki/issue/cud: Error making API request.

URL: PUT http://localhost:8200/v1/pki/issue/cud
Code: 400. Errors:

* common name test.foo.com not allowed by this role

That works with allow_subdomains=true but I would like prevent creation of test.bar.foo.com

Any help appreciated,
Thanks