Strictly speaking, they verify that server controls x.com according to the CA's ISP/DNS server/any other parties in the middle instead of the user's ISP/DNS server/any other parties in the middle.