Oh, until now my dumb brain just can't figure out how surge.sh know that the domain is belong to my account! To make sure, I check the guide of Zeit Now, they do have ways to verify by random nameservers or verification code in TXT record.
What magic help surge.sh do that ?
P/S: this comment better clarify my question:
Thanks for your very detail explaination!
But the guide of surge.sh is a static site and it gives the same DNS configuration for everybody! I can complete the DNS configuration without ever logging into surge.sh . All the same:
sub.mydomain.com 3600 IN CNAME na-west1.surge.sh
In your case
arte-docs.netlify.com is specific to you. Your account obtained that subdomain before.
In my case there's nothing specific to my account. So anyone with an account could literally deploy to my domain like this:
surge . sub.mydomain.com
Disclaimer: I didn't check by another account, just curious!